CEH-CL_Set_3

217 ( Topic 5) Drag the term to match with its description Exhibit:

:

221 ( Topic 5) How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction? A characteristic of this attack would be a continuous stream of small packets. A. Session Splicing B. Session Stealing C. Session Hijacking D. Session Fragmentation

: A

250 ( Topic 7) Daryl is a network administrator working for Dayton Technologies. Since Daryls background is in web application development, many of the programs and applications his company uses are web-based. Daryl sets up a simple forms-based logon screen for all the applications he creates so they are secure. The problem Daryl is having is that his users are forgetting their passwords quite often and sometimes he does not have the time to get into his applications and change the passwords for them. Daryl wants a tool or program that can monitor web-based passwords and notify him when a password has been changed so he can use that tool whenever a user calls him and he can give them their password right then. What tool would work best for Daryls needs? A. Password sniffer B. L0phtcrack C. John the Ripper D. WinHttrack

: A Explanation: L0phtCrack is a password auditing and recovery application (now called LC5), originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords. John the Ripper is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customisable cracker. It can be run against various encrypted password formats including several crypt password hash types WinHttrack is a offline browser. A password sniffer would give Daryl the passwords when they are changed as it is a web based authentication over a simple form but still it would be more correct to give the users new passwords instead of keeping a copy of the passwords in clear text.

243 ( Topic 6) You want to use netcat to generate huge amount of useless network data continuously for various performance testing between 2 hosts. Which of the following commands accomplish this? A. Machine A #yes AAAAAAAAAAAAAAAAAAAAAA | nc v v l p 2222 > /dev/null Machine B #yes BBBBBBBBBBBBBBBBBBBBBB | nc machinea 2222 > /dev/null B. Machine A cat somefile | nc v v l p 2222 Machine B cat somefile | nc othermachine 2222 C. Machine A nc l p 1234 | uncompress c | tar xvfp Machine B tar cfp - /some/dir | compress c | nc w 3 machinea 1234 D. Machine A while true : do nc v l s p 6000 machineb 2 Machine B while true ; do nc v l s p 6000 machinea 2 done

: A Explanation: Machine A is setting up a listener on port 2222 using the nc command and then having the letter A sent an infinite amount of times, when yes is used to send data yes NEVER stops until it recieves a break signal from the terminal (Control+C), on the client end (machine B), nc is being used as a client to connect to machine A, sending the letter B and infinite amount of times, while both clients have established a TCP connection each client is infinitely sending data to each other, this process will run FOREVER until it has been stopped by an administrator or the attacker.

299 ( Topic 8) Which one of the following network attacks takes advantages of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack? A. Teardrop B. Smurf C. Ping of Death D. SYN flood E. SNMP Attack

: A Explanation: The teardrop attack uses overlapping packet fragments to confuse a target system and cause the system to reboot or crash.

282 ( Topic 8) What happens during a SYN flood attack? A. TCP connection requests floods a target machine is flooded with randomized source address & ports for the TCP ports. B. A TCP SYN packet, which is a connection initiation, is sent to a target machine, giving the target hosts address as both source and destination, and is using the same port on the target host as both source and destination. C. A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field. D. A TCP packet is received with both the SYN and the FIN bits set in the flags field.

: A Explanation: To a server that requires an exchange of a sequence of messages. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending a SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message and then data can be exchanged. At the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message, there is a half-open connection. A data structure describing all pending connections is in memory of the server that can be made to overflow by intentionally creating too many partially open connections. Another common attack is the SYN flood, in which a target machine is flooded with TCP connection requests. The source addresses and source TCP ports of the connection request packets are randomized; the purpose is to force the target host to maintain state information for many connections that will never be completed. SYN flood attacks are usually noticed because the target host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It's also possible for the traffic returned from the target host to cause trouble on routers; because this return traffic goes to the randomized source addresses of the original packets, it lacks the locality properties of "real" IP traffic, and may overflow route caches. On Cisco routers, this problem often manifests itself in the router running out of memory.

252 ( Topic 7) John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame? A. 0xFFFFFFFFFFFF B. 0xAAAAAAAAAAAA C. 0xBBBBBBBBBBBB D. 0xDDDDDDDDDDDD

: A Explanation: 0xFFFFFFFFFFFF is the destination MAC address of the broadcast frame.

241 ( Topic 6) Which definition below best describes a covert channel? A. Making use of a Protocol in a way it was not intended to be used B. It is the multiplexing taking place on communication link C. It is one of the weak channels used by WEP that makes it insecure D. A Server Program using a port that is not well known

: A Explanation: A covert channel is a hidden communication channel not intended for information transfer at all. Redundancy can often be used to communicate in a covert way. There are several ways that hidden communication can be set up.

264 ( Topic 7) How would you describe a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS's on a network? A. Covert Channel B. Crafted Channel C. Bounce Channel D. Deceptive Channel

: A Explanation: A covert channel is described as: "any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy." Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information.

275 ( Topic 8) Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to her. This time she envisages using a different kind of method to attack Brownies Inc. Eve tries to forge the packets and uses the broadcast address. She launches an attack similar to that of fraggle. What is the technique that Eve used in the case above? A. Smurf B. Bubonic C. SYN Flood D. Ping of Death

: A Explanation: A fraggle attack is a variation of the smurf attack for denial of service in which the attacker sends spoofed UDP packets instead of ICMP echo reply (ping) packets to the broadcast address of a large network.

211 ( Topic 5) Which of the following is an attack in which a secret value like a hash is captured and then reused at a later time to gain access to a system without ever decrypting or decoding the hash. A. Replay Attacks B. Brute Force Attacks C. Cryptography Attacks D. John the Ripper Attacks

: A Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it.

216 ( Topic 5) What hacking attack is challenge/response authentication used to prevent? A. Replay attacks B. Scanning attacks C. Session hijacking attacks D. Password cracking attacks

: A Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it. With a challenge/response authentication you ensure that captured packets cant be retransmitted without a new authentication.

256 ( Topic 7) Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security- related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position. Harold is currently trying to run a Sniffer on the agencys network to get an idea of what kind of traffic is being passed around but the program he is using does not seem to be capturing anything. He pours through the sniffers manual but cant find anything that directly relates to his problem. Harold decides to ask the network administrator if the has any thoughts on the problem. Harold is told that the sniffer was not working because the agencys network is a switched network, which cant be sniffed by some programs without some tweaking. What technique could Harold use to sniff agencys switched network? A. ARP spoof the default gateway B. Conduct MiTM against the switch C. Launch smurf attack against the switch D. Flood switch with ICMP packets

: A Explanation: ARP spoofing, also known as ARP poisoning, is a technique used to attack an Ethernet network which may allow an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether (known as a denial of service attack). The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).

262 ( Topic 7) Bob is conducting a password assessment for one of his clients. Bob suspects that password policies are not in place and weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weakness and key loggers. What are the means that Bob can use to get password from his client hosts and servers? A. Hardware, Software and Sniffing B. Hardware and Software Keyloggers C. Software only, they are the most effective D. Passwords are always best obtained using Hardware key loggers

: A Explanation: All loggers will work as long as he has physical access to the computers.

232 ( Topic 6) Spears Technology, Inc is a software development company located in Los Angeles, California. They reported a breach in security, stating that its security defenses has been breached and exploited for 2 weeks by hackers. The hackers had accessed and downloaded 90,000 address containing customer credit cards and password. Spears Technology found this attack to be so to law enforcement officials to protect their intellectual property. How did this attack occur? The intruder entered through an employees home machine, which was connected to Spears Technology, Incs corporate VPN network. The application called BEAST Trojan was used in the attack to open a Back Door allowing the hackers undetected access. The security breach was discovered when customers complained about the usage of their credit cards without their knowledge. The hackers were traced back to Beijing China through e-mail address evidence. The credit card information was sent to that same e-mail address. The passwords allowed the hackers to access Spears Technologys network from a remote location, posing as employees. The intent of the attacker was to steal the source code for their VOIP system and hold it hostage from Spears Technology, Inc exchange for ransom. The hackers had intended on selling the stolen VOIP software source code to competitors. How would you prevent such attacks from occurring in the future at Spears Technology? A. Disable VPN access to all your employees from home machines B. Allow VPN access but replace the standard authentication with biometric authentication C. Replace the VPN access with dial-up modem access to the company's network D. Enable 25 character complex password policy for employees to access the VPN network.

: A Explanation: As long as there is a way in for employees through all security measures you cant be secure because you never know what computer the employees use to access recourses at their workplace.

289 ( Topic 8) When working with Windows systems, what is the RID of the true administrator account? A. 500 B. 501 C. 1000 D. 1001 E. 1024 F. 512

: A Explanation: Because of the way in which Windows functions, the true administrator account always has a RID of 500.

212 ( Topic 5) When discussing passwords, what is considered a brute force attack? A. You attempt every single possibility until you exhaust all possible combinations or discover the password B. You threaten to use the rubber hose on someone unless they reveal their password C. You load a dictionary of words into your cracking program D. You create hashes of a large number of words and compare it with the encrypted passwords E. You wait until the password expires

: A Explanation: Brute force cracking is a time consuming process where you try every possible combination of letters, numbers, and characters until you discover a match.

210 ( Topic 5) Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers. Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers. A. Hardware, Software, and Sniffing. B. Hardware and Software Keyloggers. C. Passwords are always best obtained using Hardware key loggers. D. Software only, they are the most effective.

: A Explanation: Different types of keylogger planted into the environment would retrieve the passwords for Bob..

267 ( Topic 7) How do you defend against ARP spoofing? A. Place static ARP entries on servers, workstation and routers B. True IDS Sensors to look for large amount of ARP traffic on local subnets C. Use private VLANS D. Use ARPWALL system and block ARP spoofing attacks

: A,B,C Explanation: ARPWALL is a opensource tools will give early warning when arp attack occurs. This tool is still under construction.

261 ( Topic 7) You are sniffing as unprotected WiFi network located in a JonDonalds Cybercafe with Ethereal to capture hotmail e-mail traffic. You see lots of people using their laptops browsing the web while snipping brewed coffee from JonDonalds. You want to sniff their email message traversing the unprotected WiFi network. Which of the following ethereal filters will you configure to display only the packets with the hotmail messages? A. (http contains "hotmail") && ( http contains "Reply-To") B. (http contains "e-mail" ) && (http contains "hotmail") C. (http = "login.passport.com" ) && (http contains "SMTP") D. (http = "login.passport.com" ) && (http contains "POP3")

: A Explanation: Each Hotmail message contains the tag Reply-To:<sender address> and xxxx-xxx-xxx.xxxx.hotmail.com in the received tag.

239 ( Topic 6) You are writing an antivirus bypassing Trojan using C++ code wrapped into chess.c to create an executable file chess.exe. This Trojan when executed on the victim machine, scans the entire system (c:\) for data with the following text Credit Card and password. It then zips all the scanned files and sends an email to a predefined hotmail address. You want to make this Trojan persistent so that it survives computer reboots. Which registry entry will you add a key to make it persistent? A. HKEY_LOCAL_MACHINE\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServic es B. HKEY_LOCAL_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices C. HKEY_LOCAL_SYSTEM\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunService s D. HKEY_CURRENT_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServic es

: A Explanation: HKEY_LOCAL_MACHINE would be the natural place for a registry entry that starts services when the MACHINE is rebooted.

296 ( Topic 8) Smurf is a simple attack based on IP spoofing and broadcasts. A single packet (such as an ICMP Echo Request) is sent as a directed broadcast to a subnet on the Internet. All the machines on that subnet respond to this broadcast. By spoofing the source IP Address of the packet, all the responses will get sent to the spoofed IP Address. Thus, a hacker can often flood a victim with hundreds of responses for every request the hacker sends out. Who are the primary victims of these attacks on the Internet today? A. IRC servers are the primary victim to smurf attacks B. IDS devices are the primary victim to smurf attacks C. Mail Servers are the primary victim to smurf attacks D. SPAM filters are the primary victim to surf attacks

: A Explanation: IRC servers are the primary victim to smurf attacks. Script-kiddies run programs that scan the Internet looking for "amplifiers" (i.e. subnets that will respond). They compile lists of these amplifiers and exchange them with their friends. Thus, when a victim is flooded with responses, they will appear to come from all over the Internet. On IRCs, hackers will use bots (automated programs) that connect to IRC servers and collect IP addresses. The bots then send the forged packets to the amplifiers to inundate the victim.

280 ( Topic 8) You have been called to investigate a sudden increase in network traffic at company. It seems that the traffic generated was too heavy that normal business functions could no longer be rendered to external employees and clients. After a quick investigation, you find that the computer has services running attached to TFN2k and Trinoo software. What do you think was the most likely cause behind this sudden increase in traffic? A. A distributed denial of service attack. B. A network card that was jabbering. C. A bad route on the firewall. D. Invalid rules entry at the gateway.

: A Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high- profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB). TFN2K and Trinoo are tools used for conducting DDos attacks.

234 ( Topic 6) John wishes to install a new application onto his Windows 2000 server. He wants to ensure that any application he uses has not been Trojaned. What can he do to help ensure this? A. Compare the file's MD5 signature with the one published on the distribution media B. Obtain the application via SSL C. Compare the file's virus signature with the one published on the distribution media D. Obtain the application from a CD-ROM disc

: A Explanation: MD5 was developed by Professor Ronald L. Rivest of MIT. What it does, to quote the executive summary of rfc1321, is: In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods.

293 ( Topic 8) Hackers usually control Bots through: A. IRC Channel B. MSN Messenger C. Trojan Client Software D. Yahoo Chat E. GoogleTalk

: A Explanation: Most of the bots out today has a function to connect to a predetermined IRC channel in order to get orders.

233 ( Topic 6) William has received a Tetris game from someone in his computer programming class through email. William does not really know the person who sent the game very well, but decides to install the game anyway because he really likes Tetris. After William installs the game, he plays it for a couple of hours. The next day, William plays the Tetris game again and notices that his machines have begun to slow down. He brings up his Task Manager and sees the following programs running (see Screenshot): What has William just installed? A. Remote Access Trojan (RAT) B. Zombie Zapper (ZoZ) C. Bot IRC Tunnel (BIT) D. Root Digger (RD)

: A Explanation: RATs are malicious programs that run invisibly on host PCs and permit an intruder remote access and control. On a basic level, many RATs mimic the functionality of legitimate remote control programs such as Symantec's pcAnywhere but are designed specifically for stealth installation and operation. Intruders usually hide these Trojan horses in games and other small programs that unsuspecting users then execute on their PCs. Typically, exploited users either download and execute the malicious programs or are tricked into clicking rogue email attachments.

257 ( Topic 7) The network administrator at Spears Technology, Inc has configured the default gateway Cisco Routers access-list as below: You are tried to conduct security testing on their network. You successfully brute- force for SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco Configuration from the router. How would you proceed? A. Send a customized SNMP set request with spoofed source IP Address in the range- 192.168.1.0 B. Run a network sniffer and capture the returned traffic with the configuration file from the router C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address D. Use the Cisco's TFTP default password to connect and download the configuration file

: A,B Explanation: SNMP is allowed only by access-list 1. Therefore you need to spoof a 192.168.1.0/24 address and then sniff the reply from the gateway.

203 ( Topic 5) You are the IT Manager of a large legal firm in California. Your firm represents many important clients whose names always must remain anonymous to the public. Your boss, Mr. Smith is always concerned about client information being leaked or revealed to the pres or public. You have just finished a complete security overhaul of your information system including an updated IPS, new firewall, email encryption and employee security awareness training. Unfortunately, many of your firms clients do not trust technology to completely secure their information, so couriers routinely have to travel back and forth to and from the office with sensitive information. Your boss has charged you with figuring out how to secure the information the couriers must transport. You propose that the data be transferred using burned CDs or USB flash drives. You initially think of encrypting the files, but decide against that method for fear the encryption keys could eventually be broken. What software application could you use to hide the data on the CDs and USB flash drives? A. Snow B. File Snuff C. File Sneaker D. EFS

: A Explanation: The Snow software developed by Matthew Kwan will insert extra spaces at the end of each line. Three bits are encoded in each line by adding between 0 and 7 spaces that are ignored by most display programs including web browsers.

283 ( Topic 8) When working with Windows systems, what is the RID of the true administrator account? A. 500 B. 501 C. 512 D. 1001 E. 1024 F. 1000

: A Explanation: The built-in administrator account always has a RID of 500.

278 ( Topic 8) Clive has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the external gateway interface. Further inspection reveals that they are not responses from the internal hosts requests but simply responses coming from the Internet. What could be the most likely cause? A. Someone has spoofed Clive's IP address while doing a smurf attack. B. Someone has spoofed Clive's IP address while doing a land attack. C. Someone has spoofed Clive's IP address while doing a fraggle attack. D. Someone has spoofed Clive's IP address while doing a DoS attack.

: A Explanation: The smurf attack, named after its exploit program, is a denial-of-service attack that uses spoofed broadcast ping messages to flood a target system. In such an attack, a perpetrator sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet.

222 ( Topic 5) You are the security administrator for a large online auction company based out of Los Angeles. After getting your ENSA CERTIFICATION last year, you have steadily been fortifying your networks security including training OS hardening and network security. One of the last things you just changed for security reasons was to modify all the built-in administrator accounts on the local computers of PCs and in Active Directory. After through testing you found and no services or programs were affected by the name changes. Your company undergoes an outside security audit by a consulting company and they said that even through all the administrator account names were changed, the accounts could still be used by a clever hacker to gain unauthorized access. You argue with the auditors and say that is not possible, so they use a tool and show you how easy it is to utilize the administrator account even though its name was changed. What tool did the auditors use? A. sid2user B. User2sid C. GetAcct D. Fingerprint

: A Explanation: User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more.

273 ( Topic 7) Steven is a senior security analyst for a state agency in Tulsa, Oklahoma. His agency is currently undergoing a mandated security audit by an outside consulting firm. The consulting firm is halfway through the audit and is preparing to perform the actual penetration testing against the agencys network. The firm first sets up a sniffer on the agencys wired network to capture a reasonable amount of traffic to analyze later. This takes approximately 2 hours to obtain 10 GB of data. The consulting firm then sets up a sniffer on the agencys wireless network to capture the same amount of traffic. This capture only takes about 30 minutes to get 10 GB of data. Why did capturing of traffic take much less time on the wireless network? A. Because wireless access points act like hubs on a network B. Because all traffic is clear text, even when encrypted C. Because wireless traffic uses only UDP which is easier to sniff D. Because wireless networks can't enable encryption

: A Explanation: You can not have directed radio transfers over a WLAN. Every packet will be broadcasted as far as possible with no concerns about who might hear it.

227 ( Topic 5) E-mail scams and mail fraud are regulated by which of the following? A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers B. 18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices C. 18 U.S.C. par. 1362 Communication Lines, Stations, or Systems D. 18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral Communication

: A Explanation: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030---- 000-.html Topic 6, Trojans and Backdoors -

253 ( Topic 7) Ethernet switches can be adversely affected by rapidly bombarding them with spoofed ARP responses. He port to MAC Address table (CAM Table) overflows on the switch and rather than failing completely, moves into broadcast mode, then the hacker can sniff all of the packets on the network. Which of the following tool achieves this? A. ./macof B. ./sniffof C. ./dnsiff D. ./switchsnarf

: A Explanation: macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing).

265 ( Topic 7) A remote user tries to login to a secure network using Telnet, but accidently types in an invalid user name or password. Which responses would NOT be preferred by an experienced Security Manager? (multiple answer) A. Invalid Username B. Invalid Password C. Authentication Failure D. Login Attempt Failed E. Access Denied

: A,B Explanation: As little information as possible should be given about a failed login attempt. Invalid username or password is not desirable.

294 ( Topic 8) If you send a SYN to an open port, what is the correct response?(Choose all correct answers. A. SYN B. ACK C. FIN D. PSH

: A,B Explanation: The proper response is a SYN / ACK. This technique is also known as half- open scanning.

281 ( Topic 8) The SYN Flood attack sends TCP connections requests faster than a machine can process them. Attacker creates a random source address for each packet. SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP Address Victim responds to spoofed IP Address then waits for confirmation that never arrives (timeout wait is about 3 minutes) Victims connection table fills up waiting for replies and ignores new connection legitimate users are ignored and will not be able to access the server How do you protect your network against SYN Flood attacks? A. SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP Address port number and other information. When the client responds with a normal ACK, that special sequence number will be included, which the server then verifies. Thus the server first allocates memory on the third packet of the handshake, not the first. B. RST cookies The server sends a wrong SYN|ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally. C. Micro Blocks. Instead of allocating a complete connection, simply allocate a micro- record of 16-bytes for the incoming SYN object. D. Stack Tweaking. TCP can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection.

: A,B,C,D Explanation: All above helps protecting against SYN flood attacks. Most TCP/IP stacks today are already tweaked to make it harder to perform a SYN flood DOS attack against a target.

214 ( Topic 5) Attackers can potentially intercept and modify unsigned SMB packets, modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data. Which of the following is NOT a means that can be used to minimize or protect against such an attack? A. Timestamps B. SMB Signing C. File permissions D. Sequence numbers monitoring

: A,B,D

224 ( Topic 5) Windows LAN Manager (LM) hashes are known to be weak. Which of the following are known weaknesses of LM? (Choose three) A. Converts passwords to uppercase. B. Hashes are sent in clear text over the network. C. Makes use of only 32 bit encryption. D. Effective length is 7 characters.

: A,B,D Explanation: The LM hash is computed as follows.1. The users password as an OEM string is converted to uppercase. 2. This password is either null-padded or truncated to 14 bytes. 3. The fixed-length password is split into two 7-byte halves. 4. These values are used to create two DES keys, one from each 7-byte half. 5. Each of these keys is used to DES-encrypt the constant ASCII string KGS!@#$%, resulting in two 8-byte ciphertext values. 6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash. The hashes them self are sent in clear text over the network instead of sending the password in clear text.

223 ( Topic 5) Which of the following are well know password-cracking programs?(Choose all that apply. A. L0phtcrack B. NetCat C. Jack the Ripper D. Netbus E. John the Ripper

: A,E Explanation: L0phtcrack and John the Ripper are two well know password-cracking programs. Netcat is considered the Swiss-army knife of hacking tools, but is not used for password cracking

238 ( Topic 6) What is a Trojan Horse? A. A malicious program that captures your username and password B. Malicious code masquerading as or replacing legitimate code C. An unauthorized user who gains access to your user database and adds themselves as a user D. A server that is to be sacrificed to all hacking attempts in order to log and monitor the hacking activity

: B Explanation: A Trojan Horse is an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.

290 ( Topic 8) What happens when one experiences a ping of death? A. This is when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header is set to 18 (Address Mask Reply). B. This is when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset 8) + (IP data length) >65535. In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet. C. This is when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP) and the source equal to destination address. D. This is when an the IP header is set to 1 (ICMP) and the type field in the ICMP header is set to 5 (Redirect).

: B Explanation: A hacker can send an IP packet to a vulnerable machine such that the last fragment contains an offest where (IP offset *8) + (IP data length)>65535. This means that when the packet is reassembled, its total length is larger than the legal limit, causing buffer overruns in the machine's OS (becouse the buffer sizes are defined only to accomodate the maximum allowed size of the packet based on RFC 791)...IDS can generally recongize such attacks by looking for packet fragments that have the IP header's protocol field set to 1 (ICMP), the last bit set, and (IP offset *8) +(IP data length)>65535" CCIE Professional Development Network Security Principles and Practices by Saadat Malik pg 414 "Ping of Death" attacks cause systems to react in an unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and zero or more octets of optional information, with the rest of the packet being data. Ping of Death attacks can cause crashing, freezing, and rebooting.

204 ( Topic 5) If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible? A. Birthday B. Brute force C. Man-in-the-middle D. Smurf

: B Explanation: Brute force attacks are performed with tools that cycle through many possible character, number, and symbol combinations to guess a password. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked.

240 ( Topic 6) most common commands that hackers usually attempt to Trojan are: A. car, xterm, grep B. netstat, ps, top C. vmware, sed, less D. xterm, ps, nc

: B Explanation: The easiest programs to trojan and the smartest ones to trojan are ones commonly run by administrators and users, in this case netstat, ps, and top, for a complete list of commonly trojaned and rootkited software please reference this URL: http://www.usenix.org/publications/login/1999-9/features/rootkits.html

276 ( Topic 8) The evil hacker, is purposely sending fragmented ICMP packets to a remote target. The total size of this ICMP packet once reconstructed is over 65,536 bytes. From the information given, what type of attack is attempting to perform? A. Syn flood B. Smurf C. Ping of death D. Fraggle

: C Reference: http://insecure.org/sploits/ping-o-death.html

297 ( Topic 8) Which one of the following instigates a SYN flood attack? A. Generating excessive broadcast packets. B. Creating a high number of half-open connections. C. Inserting repetitive Internet Relay Chat (IRC) messages. D. A large number of Internet Control Message Protocol (ICMP) traces.

: B Explanation: A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake. The attacker floods the target system's small "in-process" queue with connection requests, but it does not respond when a target system replies to those requests. This causes the target system to time out while waiting for the proper response, which makes the system crash or become unusable.

287 ( Topic 8) Henry is an attacker and wants to gain control of a system and use it to flood a target system with requests, so as to prevent legitimate users from gaining access. What type of attack is Henry using? A. Henry is executing commands or viewing data outside the intended target path B. Henry is using a denial of service attack which is a valid threat used by an attacker C. Henry is taking advantage of an incorrect configuration that leads to access with higher- than-expected privilege D. Henry uses poorly designed input validation routines to create or alter commands to gain access to unintended data or execute commands

: B Explanation: Henrys intention is to perform a DoS attack against his target, possibly a DDoS attack. He uses systems other than his own to perform the attack in order to cover the tracks back to him and to get more punch in the DoS attack if he uses multiple systems.

226 ( Topic 5) A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in. What do you think is the most likely reason behind this? A. There is a NIDS present on that segment. B. Kerberos is preventing it. C. Windows logons cannot be sniffed. D. L0phtcrack only sniffs logons to web servers.

: B Explanation: In a Windows 2000 network using Kerberos you normally use pre- authentication and the user password never leaves the local machine so it is never exposed to the network so it should not be able to be sniffed.

292 ( Topic 8) What is the goal of a Denial of Service Attack? A. Capture files from a remote computer. B. Render a network or computer incapable of providing normal service. C. Exploit a weakness in the TCP stack. D. Execute service at PS 1009.

: B Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high- profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB).

271 ( Topic 7) What port number is used by Kerberos protocol? A. 44 B. 88 C. 419 D. 487

: B Explanation: Kerberos traffic uses UDP/TCP protocol source and destination port 88.

251 ( Topic 7) A POP3 client contacts the POP3 server: A. To send mail B. To receive mail C. to send and receive mail D. to get the address to send mail to E. initiate a UDP SMTP connection to read mail

: B Explanation: POP is used to receive e-mail.SMTP is used to send e-mail.

220 ( Topic 5) Password cracking programs reverse the hashing process to recover passwords.(True/False. A. True B. False

: B Explanation: Password cracking programs do not reverse the hashing process. Hashing is a one-way process. What these programs can do is to encrypt words, phrases, and characters using the same encryption process and compare them to the original password. A hashed match reveals the true password.

213 ( Topic 5) _________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes. A. Trojan B. RootKit C. DoS tool D. Scanner E. Backdoor

: B Explanation: Rootkits are tools that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.

230 ( Topic 6) Sniffing is considered an active attack. A. True B. False

: B Explanation: Sniffing is considered a passive attack.

249 ( Topic 7) ARP poisoning is achieved in _____ steps A. 1 B. 2 C. 3 D. 4

: B Explanation: The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router, associating his computer's MAC address with your IP computer. Next, the hacker computer, associating his MAC Address with the . The hacker has now used ARP poisoning to accomplish a MitM attack.

259 ( Topic 7) Exhibit: You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22. What filter will you apply? A. ip = 10.0.0.22 B. ip.src == 10.0.0.22 C. ip.equals 10.0.0.22 D. ip.address = 10.0.0.22

: B Explanation: ip.src tells the filter to only show packets with 10.0.0.22 as the source.

248 ( Topic 7) What is the command used to create a binary log file using tcpdump? A. tcpdump -r log - B. tcpdump -w ./log - C. tcpdump -vde -r log - D. tcpdump -l /var/log/

: B ] [ -s ] rather than parsing and printing them out.

246 ( Topic 6) A. An encryption tool to protect the Trojan. B. A tool used to bind the Trojan with legitimate file. C. A tool used to encapsulated packets within a new header and footer. D. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan.

: B executable back-door program legitimate executable, creating a Trojan horse without writing a single line of new code.

277 ( Topic 8) Peter has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the External Gateway interface. Further inspection reveals they are not responses from internal hosts request but simply responses coming from the Internet. What could be the likely cause of this? A. Someone Spoofed Peter's IP Address while doing a land attack B. Someone Spoofed Peter's IP Address while doing a DoS attack C. Someone Spoofed Peter's IP Address while doing a smurf Attack D. Someone Spoofed Peter's IP address while doing a fraggle attack

: C Explanation: An attacker sends forged ICMP echo packets to broadcast addresses of vulnerable networks with forged source address pointing to the target (victim) of the attack. All the systems on these networks reply to the victim with ICMP echo replies. This rapidly exhausts the bandwidth available to the target.

254 ( Topic 7) Samantha was hired to perform an internal security test of company. She quickly realized that all networks are making use of switches instead of traditional hubs. This greatly limits her ability to gather information through network sniffing. Which of the following techniques can she use to gather information from the switched network or to disable some of the traffic isolation features of the switch? (Choose two) A. Ethernet Zapping B. MAC Flooding C. Sniffing in promiscuous mode D. ARP Spoofing

: B,D Explanation: In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table.The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation. The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).

268 ( Topic 7) Which of the following is not considered to be a part of active sniffing? A. MAC Flooding B. ARP Spoofing C. SMAC Fueling D. MAC Duplicating

: C

272 ( Topic 7) Exhibit: ettercap NCLzs --quiet What does the command in the exhibit do in Ettercap? A. This command will provide you the entire list of hosts in the LAN B. This command will check if someone is poisoning you and will report its IP. C. This command will detach from console and log all the collected passwords from the network to a file. D. This command broadcasts ping to scan the LAN instead of ARP request of all the subnet IPs.

: C Explanation: -N = NON interactive mode (without ncurses) -C = collect all users and passwords -L = if used with -C (collector) it creates a file with all the password sniffed in the session in the form "YYYYMMDD-collected-pass.log" -z = start in silent mode (no arp storm on start up) -s = IP BASED sniffing --quiet = "demonize" ettercap. Useful if you want to log all data in background.

295 ( Topic 8) Global deployment of RFC 2827 would help mitigate what classification of attack? A. Sniffing attack B. Denial of service attack C. Spoofing attack D. Reconnaissance attack E. Prot Scan attack

: C Explanation: RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing -

269 ( Topic 7) What does the following command in "Ettercap" do? ettercap NCLzs quiet A. This command will provide you the entire list of hosts in the LAN B. This command will check if someone is poisoning you and will report its IP C. This command will detach ettercap from console and log all the sniffed passwords to a file D. This command broadcasts ping to scan the LAN instead of ARP request all the subset IPs

: C Explanation: -L specifies that logging will be done to a binary file and s tells us it is running in script mode.

291 ( Topic 8) is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature for SYN Flood attack is: A. The source and destination address having the same value. B. The source and destination port numbers having the same value. C. A large number of SYN packets appearing on a network without the corresponding reply packets. D. A large number of SYN packets appearing on a network with the corresponding reply packets.

: C Explanation: A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake. The attacker floods the target system's small "in-process" queue with connection requests, but it does not respond when a target system replies to those requests. This causes the target system to time out while waiting for the proper response, which makes the system crash or become unusable.

231 ( Topic 6) Which of the following statements would not be a proper definition for a Trojan Horse? A. An unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user. B. A legitimate program that has been altered by the placement of unauthorized code within it; this code perform functions unknown (and probably unwanted) by the user. C. An authorized program that has been designed to capture keyboard keystrokes while the user remains unaware of such an activity being performed. D. Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user.

: C Explanation: A Trojan is all about running unauthorized code on the users computer without the user knowing of it.

219 ( Topic 5) In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive, although slow. It usually tries every possible letter and number combination in its automated exploration. If you would use both brute force and dictionary methods combined together to have variation of words, what would you call such an attack? A. Full Blown B. Thorough C. Hybrid D. BruteDics

: C Explanation: A combination of Brute force and Dictionary attack is called a Hybrid attack or Hybrid dictionary attack.

205 ( Topic 5) What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common? A. All are hacking tools developed by the legion of doom B. All are tools that can be used not only by hackers, but also security personnel C. All are DDOS tools D. All are tools that are only effective against Windows E. All are tools that are only effective against Linux

: C Explanation: All are DDOS tools.

245 ( Topic 6) After an attacker has successfully compromised a remote computer, what would be one of the last steps that would be taken to ensure that the compromise is not traced back to the source of the problem? A. Install pactehs B. Setup a backdoor C. Cover your tracks D. Install a zombie for DDOS

: C Explanation: As a hacker you don't want to leave any traces that could lead back to you.

274 ( Topic 7) Which of the following display filters will you enable in Ethereal to view the three- way handshake for a connection from host 192.168.0.1? A. ip == 192.168.0.1 and tcp.syn B. ip.addr = 192.168.0.1 and syn = 1 C. ip.addr==192.168.0.1 and tcp.flags.syn D. ip.equals 192.168.0.1 and syn.equals on

: C Topic 8, Denial of Service

225 ( Topic 5) Exhibit - You receive an e-mail with the message displayed in the exhibit. From this e-mail you suspect that this message was sent by some hacker since you have using their e-mail services for the last 2 years and they never sent out an e-mail as this. You also observe the URL in the message and confirm your suspicion about 340590649. You immediately enter the following at the Windows 2000 command prompt. ping 340590649 You get a response with a valid IP address. What is the obstructed IP address in the e-mail URL? A. 192.34.5.9 B. 10.0.3.4 C. 203.2.4.5 D. 199.23.43.4

: C Explanation: Convert the number in binary, then start from last 8 bits and convert them to decimal to get the last octet (in this case .5)

258 ( Topic 7) Ethereal works best on ____________. A. Switched networks B. Linux platforms C. Networks using hubs D. Windows platforms E. LAN's

: C Explanation: Ethereal is used for sniffing traffic. It will return the best results when used on an unswitched (i.e. hub. network.

201 ( Topic 5) You are a Administrator of Windows server. You want to find the port number for POP3. What file would you find the information in and where? Select the best answer. A. %windir%\\etc\\services B. system32\\drivers\\etc\\services C. %windir%\\system32\\drivers\\etc\\services D. /etc/services E. %windir%/system32/drivers/etc/services

: C Explanation: Explanations: %windir%\\system32\\drivers\\etc\\services is the correct place to look for this information.

266 ( Topic 7) When Jason moves a file via NFS over the company's network, you want to grab a copy of it by sniffing. Which of the following tool accomplishes this? A. macof B. webspy C. filesnarf D. nfscopy

: C Explanation: Filesnarf - sniff files from NFS traffic OPTIONS - -i interface Specify the interface to listen on. -v "Versus" mode. Invert the sense of matching, to select non-matching files. pattern Specify regular expression for filename matching. expression Specify a tcpdump(8) filter expression to select traffic to sniff. SEE ALSO - Dsniff, nfsd -

288 ( Topic 8) How does a denial-of-service attack work? A. A hacker tries to decipher a password by using a system, which subsequently crashes the network B. A hacker attempts to imitate a legitimate user by confusing a computer or even another person C. A hacker prevents a legitimate user (or group of users) from accessing a service D. A hacker uses every character, word, or letter he or she can think of to defeat authentication

: C Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high- profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB).

244 ( Topic 6) John wants to try a new hacking tool on his Linux System. As the application comes from a site in his untrusted zone, John wants to ensure that the downloaded tool has not been Trojaned. Which of the following options would indicate the best course of action for John? A. Obtain the application via SSL B. Obtain the application from a CD-ROM disc C. Compare the files' MD5 signature with the one published on the distribution media D. Compare the file's virus signature with the one published on the distribution media

: C Explanation: In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods.

208 ( Topic 5) Study the snort rule given below: From the options below, choose the exploit against which this rule applies. A. WebDav B. SQL Slammer C. MS Blaster D. MyDoom

: C Explanation: MS Blaster scans the Internet for computers that are vulnerable to its attack. Once found, it tries to enter the system through the port 135 to create a buffer overflow. TCP ports 139 and 445 may also provide attack vectors.

263 ( Topic 7) The follows is an email header. What address is that of the true originator of the message? Return-Path: <[email protected]> Received: from smtp.com (fw.emumail.com [215.52.220.122]. by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id h78NIn404807 for <[email protected]>; Sat, 9 Aug 2003 18:18:50 -0500 Received: (qmail 12685 invoked from network.; 8 Aug 2003 23:25:25 -0000 Received: from ([19.25.19.10]. by smtp.com with SMTP Received: from unknown (HELO CHRISLAPTOP. (168.150.84.123. by localhost with SMTP; 8 Aug 2003 23:25:01 -0000 From: "Bill Gates" <[email protected]> To: "mikeg" <[email protected]> Subject: We need your help! Date: Fri, 8 Aug 2003 19:12:28 -0400 Message-ID: <51.32.123.21@CHRISLAPTOP> MIME-Version: 1.0 - Content-Type: multipart/mixed; boundary="----=_NextPart_000_0052_01C35DE1.03202950" X-Priority: 3 (Normal. X-MSMail-Priority: Normal - X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal - A. 19.25.19.10 B. 51.32.123.21 C. 168.150.84.123 D. 215.52.220.122 E. 8.10.2/8.10.2

: C Explanation: Spoofing can be easily achieved by manipulating the "from" name field, however, it is much more difficult to hide the true source address. The "received from" IP address 168.150.84.123 is the true source of the

260 ( Topic 7) Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files? A. Snort B. argus C. TCPflow D. Tcpdump

: C Explanation: Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

228 ( Topic 6) You have hidden a Trojan file virus.exe inside another file readme.txt using NTFS streaming. Which command would you execute to extract the Trojan to a standalone file? A. c:\> type readme.txt:virus.exe > virus.exe B. c:\> more readme.txt | virus.exe > virus.exe C. c:\> cat readme.txt:virus.exe > virus.exe D. c:\> list redme.txt$virus.exe > virus.exe

: C Explanation: cat will concatenate, or write, the alternate data stream to its own file named virus.exe

209 ( Topic 5) LM authentication is not as strong as Windows NT authentication so you may want to disable its use, because an attacker eavesdropping on network traffic will attack the weaker protocol. A successful attack can compromise the user's password. How do you disable LM authentication in Windows XP? A. Stop the LM service in Windows XP B. Disable LSASS service in Windows XP C. Disable LM authentication in the registry D. Download and install LMSHUT.EXE tool from Microsoft website

: C Explanation: http://support.microsoft.com/kb/299656

286 ( Topic 8) A Buffer Overflow attack involves: A. Using a trojan program to direct data traffic to the target host's memory stack B. Flooding the target network buffers with data traffic to reduce the bandwidth available to legitimate users C. Using a dictionary to crack password buffers by guessing user names and passwords D. Poorly written software that allows an attacker to execute arbitrary code on a target system

: D Explanation: B is a denial of service. By flooding the data buffer in an application with trash you could get access to write in the code segment in the application and that way insert your own code.

298 ( Topic 8) What is the term 8 to describe an attack that falsifies a broadcast ICMP echo request and includes a primary and secondary victim? A. Fraggle Attack B. Man in the Middle Attack C. Trojan Horse Attack D. Smurf Attack E. Back Orifice Attack

: D Explanation: Trojan and Back orifice are Trojan horse attacks. Man in the middle spoofs the Ip and redirects the victems packets to the cracker The infamous Smurf attack. preys on ICMP's capability to send traffic to the broadcast address. Many hosts can listen and respond to a single ICMP echo request sent to a broadcast address. Network Intrusion Detection third Edition by Stephen Northcutt and Judy Novak pg 70 The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf".

207 ( Topic 5) You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters. With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results? A. Online Attack B. Dictionary Attack C. Brute Force Attack D. Hybrid Attack

: D Explanation: A dictionary attack will not work as strong passwords are enforced, also the minimum length of 8 characters in the password makes a brute force attack time consuming. A hybrid attack where you take a word from a dictionary and exchange a number of letters with numbers and special characters will probably be the fastest way to crack the passwords.

284 ( Topic 8) Bryce the bad boy is purposely sending fragmented ICMP packets to a remote target. The tool size of this ICMP packet once reconstructed is over 65,536 bytes. From the information given, what type of attack is Bryce attempting to perform? A. Smurf B. Fraggle C. SYN Flood D. Ping of Death

: D Explanation: A ping of death (abbreviated "POD") is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 64 bytes in size (or 84 bytes when IP header is considered); many computer systems cannot handle a ping larger than the maximum IP packet size, which is 65,535 bytes. Sending a ping of this size can crash the target computer. Traditionally, this bug has been relatively easy to exploit. Generally, sending a 65,536 byte ping packet is illegal according to networking protocol, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.

300 ( Topic 8) A denial of Service (DoS) attack works on the following principle: A. MS-DOS and PC-DOS operating system utilize a weaknesses that can be compromised and permit them to launch an attack easily. B. All CLIENT systems have TCP/IP stack implementation weakness that can be compromised and permit them to lunch an attack easily. C. Overloaded buffer systems can easily address error conditions and respond appropriately. D. Host systems cannot respond to real traffic, if they have an overwhelming number of incomplete connections (SYN/RCVD State). E. A server stops accepting connections from certain networks one those network become flooded.

: D Explanation: Denial-of-service (often abbreviated as DoS) is a class of attacks in which an attacker attempts to prevent legitimate users from accessing an Internet service, such as a web site. This can be done by exercising a software bug that causes the software running the service to fail (such as the Ping of Death attack against Windows NT systems), sending enough data to consume all available network bandwidth (as in the May, 2001 attacks against Gibson Research), or sending data in such a way as to consume a particular resource needed by the service.

247 ( Topic 6) You suspect that your Windows machine has been compromised with a Trojan virus. When you run anti-virus software it does not pick of the Trojan. Next you run netstat command to look for open ports and you notice a strange port 6666 open. What is the next step you would do? A. Re-install the operating system. B. Re-run anti-virus software. C. Install and run Trojan removal software. and look for the application executable that listens on port 6666.

: D Explanation: Fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications. Topic 7, Sniffers -

229 ( Topic 6) Exhibit: * Missing* Jason's Web server was attacked by a trojan virus. He runs protocol analyzer and notices that the trojan communicates to a remote server on the Internet. Shown below is the standard "hexdump" representation of the network packet, before being decoded. Jason wants to identify the trojan by looking at the destination port number and mapping to a trojan-port number database on the Internet. Identify the remote server's port number by decoding the packet? A. Port 1890 (Net-Devil Trojan) B. Port 1786 (Net-Devil Trojan) C. Port 1909 (Net-Devil Trojan) D. Port 6667 (Net-Devil Trojan)

: D Explanation: From trace, 0x1A0B is 6667, IRC Relay Chat, which is one port used. Other ports are in the 900's.

270 ( Topic 7) Bob wants to prevent attackers from sniffing his passwords on the wired network. Which of the following lists the best options? A. RSA, LSA, POP B. SSID, WEP, Kerberos C. SMB, SMTP, Smart card D. Kerberos, Smart card, Stanford SRP

: D Explanation: Kerberos, Smart cards and Stanford SRP are techniques where the password never leaves the computer.

202 ( Topic 5) An attacker runs netcat tool to transfer a secret file between two hosts. Machine A: netcat -l -p 1234 < secretfile Machine B: netcat 192.168.3.4 > 1234 He is worried about information being sniffed on the network. How would the attacker use netcat to encrypt the information before transmitting onto the wire? A. Machine A: netcat -l -p -s password 1234 < testfileMachine B: netcat <machine A IP> 1234 B. Machine A: netcat -l -e magickey -p 1234 < testfileMachine B: netcat <machine A IP> 1234 C. Machine A: netcat -l -p 1234 < testfile -pw passwordMachine B: netcat <machine A IP> 1234 -pw password D. Use cryptcat instead of netcat

: D Explanation: Netcat cannot encrypt the file transfer itself but would need to use a third party application to encrypt/decrypt like openssl. Cryptcat is the standard netcat enhanced with twofish encryption.

242 ( Topic 6) Erik notices a big increase in UDP packets sent to port 1026 and 1027 occasionally. He enters the following at the command prompt. $ nc -l -p 1026 -u -v In response, he sees the following message. cell(?(c)????STOPALERT77STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION. Windows has found 47 Critical Errors. To fix the errors please do the following: 1. Download Registry Repair from: www.reg-patch.com 2. Install Registry Repair 3. Run Registry Repair 4. Reboot your computer FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION! What would you infer from this alert? A. The machine is redirecting traffic to www.reg-patch.com using adware B. It is a genuine fault of windows registry and the registry needs to be backed up C. An attacker has compromised the machine and backdoored ports 1026 and 1027 D. It is a messenger spam. Windows creates a listener on one of the low dynamic ports from 1026 to 1029 and the message usually promotes malware disguised as legitimate utilities

: D Explanation: The "net send" Messenger service can be used by unauthorized users of your computer, without gaining any kind of privileged access, to cause a pop-up window to appear on your computer. Lately, this feature has been used by unsolicited commercial advertisers to inform many campus users about a "university diploma service"...

236 ( Topic 6) Which of the following Netcat commands would be used to perform a UDP scan of the lower 1024 ports? A. Netcat -h -U B. Netcat -hU <host(s.> C. Netcat -sU -p 1-1024 <host(s.> D. Netcat -u -v -w2 <host> 1-1024 E. Netcat -sS -O target/1024

: D Explanation: The proper syntax for a UDP scan using Netcat is "Netcat -u -v -w2 <host> 1-1024". Netcat is considered the Swiss-army knife of hacking tools because it is so versatile.

237 ( Topic 6) A file integrity program such as Tripwire protects against Trojan horse attacks by: A. Automatically deleting Trojan horse programs B. Rejecting packets generated by Trojan horse programs C. Using programming hooks to inform the kernel of Trojan horse behavior D. Helping you catch unexpected changes to a system utility file that might indicate it had been replaced by a Trojan horse

: D Explanation: Tripwire generates a database of the most common files and directories on your system. Once it is generated, you can then check the current state of your system against the original database and get a report of all the files that have been modified, deleted or added. This comes in handy if you allow other people access to your machine and even if you don't, if someone else does get access, you'll know if they tried to modify files such as /bin/login etc.

285 ( Topic 8) What would best be defined as a security test on services against a known vulnerability database using an automated tool? A. A penetration test B. A privacy review C. A server audit D. A vulnerability assessment

: D Explanation: Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the communications infrastructure or water infrastructure of a region).

215 ( Topic 5) Fingerprinting an Operating System helps a cracker because: A. It defines exactly what software you have installed B. It opens a security-delayed window based on the port being scanned C. It doesn't depend on the patches that have been applied to fix existing security holes D. It informs the cracker of which vulnerabilities he may be able to exploit on your system

: D Explanation: When a cracker knows what OS and Services you use he also knows which exploits might work on your system. If he would have to try all possible exploits for all possible Operating Systems and Services it would take too long time and the possibility of being detected increases.

255 ( Topic 7) Windump is a Windows port of the famous TCPDump packet sniffer available on a variety of platforms. In order to use this tool on the Windows Platform you must install a packet capture library. What is the name of this library? A. PCAP B. NTPCAP C. LibPCAP D. WinPCAP

: D Explanation: WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

235 ( Topic 6) Assuring two systems that are using IPSec to protect traffic over the internet, what type of general attack could compromise the data? A. Spoof Attack B. Smurf Attack C. Man in the Middle Attack D. Trojan Horse Attack E. Back Orifice Attack

: D,E Explanation: To compromise the data, the attack would need to be executed before the encryption takes place at either end of the tunnel. Trojan Horse and Back Orifice attacks both allow for potential data manipulation on host computers. In both cases, the data would be compromised either before encryption or after decryption, so IPsec is not preventing the attack.

206 ( Topic 5) In the following example, which of these is the "exploit"? Today, Microsoft Corporation released a security notice. It detailed how a person could bring down the Windows 2003 Server operating system, by sending malformed packets to it. They detailed how this malicious process had been automated using basic scripting. Even worse, the new automated method for bringing down the server has already been used to perform denial of service attacks on many large commercial websites. Select the best answer. A. Microsoft Corporation is the exploit. B. The security "hole" in the product is the exploit. C. Windows 2003 Server D. The exploit is the hacker that would use this vulnerability. E. The documented method of how to use the vulnerability to gain unprivileged access.

: E Explanation: Explanations: Microsoft is not the exploit, but if Microsoft documents how the vulnerability can be used to gain unprivileged access, they are creating the exploit. If they just say that there is a hole in the product, then it is only a vulnerability. The security "hole" in the product is called the "vulnerability". It is documented in a way that shows how to use the vulnerability to gain unprivileged access, and it then becomes an "exploit". In the example given, Windows 2003 Server is the TOE (Target of Evaluation). A TOE is an IT System, product or component that requires security evaluation or is being identified. The hacker that would use this vulnerability is exploiting it, but the hacker is not the exploit. The documented method of how to use the vulnerability to gain unprivileged access is the correct answer.

279 ( Topic 8) Peter is a Network Admin. He is concerned that his network is vulnerable to a smurf attack. What should Peter do to prevent a smurf attack? Select the best answer. A. He should disable unicast on all routers B. Disable multicast on the router C. Turn off fragmentation on his router D. Make sure all anti-virus protection is updated on all systems E. Make sure his router won't take a directed broadcast

: E Explanation: Explanations: Unicasts are one-to-one IP transmissions, by disabling this he would disable most network transmissions but still not prevent the smurf attack. Turning of multicast or fragmentation on the router has nothing to do with Peters concerns as a smurf attack uses broadcast, not multicast and has nothing to do with fragmentation. Anti-virus protection will not help prevent a smurf attack. A smurf attack is a broadcast from a spoofed source. If directed broadcasts are enabled on the destination all the computers at the destination will respond to the spoofed source, which is really the victim. Disabling directed broadcasts on a router can prevent the attack.

218 ( Topic 5) What is the BEST alternative if you discover that a rootkit has been installed on one of your computers? A. Copy the system files from a known good system B. Perform a trap and trace C. Delete the files and try to determine the source D. Reload from a previous backup E. Reload from known good media

: E Explanation: If a rootkit is discovered, you will need to reload from known good media. This typically means performing a complete reinstall.