CEH_CL_Set_5

498 ( Topic 19) Which of the following is not an effective countermeasure against replay attacks? A. Digital signatures B. Time Stamps C. System identification D. Sequence numbers

: C Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. Effective countermeasures should be anything that makes it hard to delay or replay the packet (time stamps and sequence numbers) or anything that prove the package is received as it was sent from the original sender (digital signature)

442 ( Topic 18) What is the expected result of the following exploit? A. Opens up a telnet listener that requires no username or password. B. Create a FTP server with write permissions enabled. C. Creates a share called "sasfile" on the target system. D. Creates an account with a user name of Anonymous and a password of [email protected].

: A Explanation: The script being depicted is in perl (both msadc.pl and the script their using as a wrapper) - - $port, $your, $user, $pass, $host are variables that hold the port # of a DNS server, an IP, username, and FTP password. $host is set to argument variable 0 (which means the string typed directly after the command). Essentially what happens is it connects to an FTP server and downloads nc.exe (the TCP/IP swiss-army knife -- netcat) and uses nc to open a TCP port spawning cmd.exe (cmd.exe is the Win32 DOS shell on NT/2000/2003/XP), cmd.exe when spawned requires NO username or password and has the permissions of the username it is being executed as (probably guest in this instance, although it could be administrator). The #'s in the script means the text following is a comment, notice the last line in particular, if the # was removed the script would spawn a connection to itself, the host system it was running on.

458 ( Topic 18) You are trying to compromise a Linux Machine and steal the password hashes for cracking with password brute forcing program. Where is the password file kept is Linux? A. /etc/shadow B. /etc/passwd C. /bin/password D. /bin/shadow

: A Explanation: /etc/shadow file stores actual password in encrypted format for users account with additional properties related to user password i.e. it stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file. Topic 19, Evading IDS, Firewalls and Honeypots

434 ( Topic 17) Which of the following keyloggers cant be detected by anti-virus or anti-spyware products? A. Hardware keylogger B. Software Keylogger C. Stealth Keylogger D. Convert Keylogger

: A Explanation: A hardware keylogger will never interact with the operating system and therefore it will never be detected by any security programs running in the operating system.

433 ( Topic 17) Joseph has just been hired on to a contractor company of the Department of Defense as their senior Security Analyst. Joseph has been instructed on the Companys strict security policies that have been implemented and the policies that have yet to be put in place. Per the Department of Defense, all DoD users and the users of their contractors must use two-factor authentication to access their networks. Joseph has been delegated the task of researching and implementing the best two-factor authentication method for his company. Josephs supervisor has told him that they would like to use some type of hardware device in tandem with a security or identifying pin number. Josephs company has already researched using smart cards and all the resources needed to implement them, but found the smart cards to not be cost effective. What type of device should Joseph use for two-factor authentication? A. Security token B. Biometric device C. OTP D. Proximity cards

: A Explanation: A security token (sometimes called an authentication token) is a small hardware device that the owner carries to authorize access to a network service. The device may be in the form of a smart card or may be embedded in a commonly used object such as a key fob. Security tokens provide an extra level of assurance through a method : the user has a personal identification number (PIN), which authorizes them as the owner of that particular device; the device then displays a number which uniquely identifies the user to the service, allowing them to log in.

473 ( Topic 19) Angela is trying to access an education website that requires a username and password to login. When Angela clicks on the link to access the login page, she gets an error message stating that the page cant be reached. She contacts the websites support team and they report that no one else is having any issues with the site. After handing the issue over to her companys IT department, it is found that the education website requires any computer accessing the site must be able to respond to a ping from the educations server. Since Angelas computer is behind a corporate firewall, her computer cant ping the education website back. What ca Angelas IT department do to get access to the education website? A. Change the IP on Angela's Computer to an address outside the firewall B. Change the settings on the firewall to allow all incoming traffic on port 80 C. Change the settings on the firewall all outbound traffic on port 80 D. Use a Internet browser other than the one that Angela is currently using

: A Explanation: Allowing traffic to and from port 80 will not help as this will be UDP or TCP traffic and ping uses ICMP. The browser used by the user will not make any difference. The only alternative here that would solve the problem is to move the computer to outside the firewall.

470 ( Topic 19) An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network- based IDS application? (Choose the best answer) A. Create a network tunnel. B. Create a multiple false positives. C. Create a SYN flood. D. Create a ping flood.

: A Explanation: Certain types of encryption presents challenges to network-based intrusion detection and may leave the IDS blind to certain attacks, where a host-based IDS analyzes the data after it has been decrypted.

444 ( Topic 18) Clive is conducting a pen-test and has just port scanned a system on the network. He has identified the operating system as Linux and been able to elicit responses from ports 23, 25 and 53. He infers port 23 as running Telnet service, port 25 as running SMTP service and port 53 as running DNS service. The client confirms these findings and attests to the current availability of the services. When he tries to telnet to port 23 or 25, he gets a blank screen in response. On typing other commands, he sees only blank spaces or underscores symbols on the screen. What are you most likely to infer from this? A. The services are protected by TCP wrappers B. There is a honeypot running on the scanned machine C. An attacker has replaced the services with trojaned ones D. This indicates that the telnet and SMTP server have crashed

: A Explanation: Explanation: TCP Wrapper is a host-based network ACL system, used to filter network access to Internet protocol services run on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes.

426 ( Topic 16) What is the best means of prevention against viruses? A. Assign read only permission to all files on your system. B. Remove any external devices such as floppy and USB connectors. C. Install a rootkit detection tool. D. Install and update anti-virus scanner.

: D Explanation: Although virus scanners only can find already known viruses this is still the best defense, together with users that are informed about risks with the internet.

408 ( Topic 15) Joe Hacker is going wardriving. He is going to use PrismStumbler and wants it to go to a GPS mapping software application. What is the recommended and well-known GPS mapping package that would interface with PrismStumbler? Select the best answer. A. GPSDrive B. GPSMap C. WinPcap D. Microsoft Mappoint

: A Explanation: Explanations: GPSDrive is a Linux GPS mapping package. It recommended to be used to send PrismStumbler data to so that it can be mapped. GPSMap is a generic term and not a real software package. WinPcap is a packet capture library for Windows. It is used to capture packets and deliver them to other programs for analysis. As it is for Windows, it isn't going to do what Joe Hacker is wanting to do. Microsoft Mappoint is a Windows application. PrismStumbler is a Linux application. Thus, these two are not going to work well together.

478 ( Topic 19) Network Intrusion Detection systems can monitor traffic in real time on networks. Which one of the following techniques can be very effective at avoiding proper detection? A. Fragmentation of packets. B. Use of only TCP based protocols. C. Use of only UDP based protocols. D. Use of fragmented ICMP traffic only.

: A Explanation: If the default fragmentation reassembly timeout is set to higher on the client than on the IDS then the it is possible to send an attack in fragments that will never be reassembled in the IDS but they will be reassembled and read on the client computer acting victim.

489 ( Topic 19) What type of attack changes its signature and/or payload to avoid detection by antivirus programs? A. Polymorphic B. Rootkit C. Boot sector D. File infecting

: A Explanation: In computer terminology, polymorphic code is code that mutates while keeping the original algorithm intact. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence.

469 ( Topic 19) Carl has successfully compromised a web server from behind a firewall by exploiting a vulnerability in the web server program. He wants to proceed by installing a backdoor program. However, he is aware that not all inbound ports on the firewall are in the open state. From the list given below, identify the port that is most likely to be open and allowed to reach the server that Carl has just compromised. A. 53 B. 110 C. 25 D. 69

: A Explanation: Port 53 is used by DNS and is almost always open, the problem is often that the port is opened for the hole world and not only for outside DNS servers.

423 ( Topic 16) Virus Scrubbers and other malware detection program can only detect items that they are aware of. Which of the following tools would allow you to detect unauthorized changes or modifications of binary files on your system by unknown malware? A. System integrity verification tools B. Anti-Virus Software C. A properly configured gateway D. There is no way of finding out until a new updated signature file is released

: A Explanation: Programs like Tripwire aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.

485 ( Topic 19) Snort is an open source Intrusion Detection system. However, it can also be used for a few other purposes as well. Which of the choices below indicate the other features offered by Snort? A. IDS, Packet Logger, Sniffer B. IDS, Firewall, Sniffer C. IDS, Sniffer, Proxy D. IDS, Sniffer, content inspector

: A Explanation: Snort is a free software network intrusion detection and prevention system capable of performing packet logging & real-time traffic analysis, on IP networks. Snort was written by Martin Roesch but is now owned and developed by Sourcefire

477 ( Topic 19) This IDS defeating technique works by splitting a datagram (or packet) into multiple fragments and the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled until it reaches its final destination. It would be a processor-intensive tasks for an IDS to reassemble all fragments itself and on a busy system the packet will slip through the IDS onto the network. What is this technique called? A. IP Fragmentation or Session Splicing B. IP Routing or Packet Dropping C. IDS Spoofing or Session Assembly D. IP Splicing or Packet Reassembly

: A Explanation: The basic premise behind session splicing, or IP Fragmentation, is to deliver the payload over multiple packets thus defeating simple pattern matching without session reconstruction. This payload can be delivered in many different manners and even spread out over a long period of time. Currently, Whisker and Nessus have session splicing capabilities, and other tools exist in the wild.

471 ( Topic 19) Exhibit: Given the following extract from the snort log on a honeypot, what service is being exploited? : A. FTP B. SSH C. Telnet D. SMTP

: A Explanation: The connection is done to 172.16.1.104:21.

402 ( Topic 15) In order to attack a wireless network, you put up an access point and override the signal of the real access point. As users send authentication data, you are able to capture it. What kind of attack is this? A. Rouge access point attack B. Unauthorized access point attack C. War Chalking D. WEP attack

: A Explanation: The definition of a Rogue access point is:1. A wireless access point (AP) installed by an employee without the consent of the IT department. Without the proper security configuration, users have exposed their company's network to the outside world.2. An access point (AP) set up by an attacker outside a facility with a wireless network. Also called an "evil twin," the rogue AP picks up beacons (signals that advertise its presence) from the company's legitimate AP and transmits identical beacons, which some client machines inside the building associate with.

435 ( Topic 17) What does the this symbol mean? A. Open Access Point B. WPA Encrypted Access Point C. WEP Encrypted Access Point D. Closed Access Point

: A Explanation: This symbol is a warchalking symbol for a open node (open circle) with the SSID tsunami and the bandwidth 2.0 Mb/s

440 ( Topic 18) After studying the following log entries, what is the attacker ultimately trying to achieve as inferred from the log sequence? 1. mkdir -p /etc/X11/applnk/Internet/.etc 2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd 3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd 4. touch -acmr /etc /etc/X11/applnk/Internet/.etc 5. passwd nobody -d 6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash 7. passwd dns -d 8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd 9. touch -acmr /etc/X11/applnk/Internet/.etc /etc A. Change password of user nobody B. Extract information from a local directory C. Change the files Modification Access Creation times D. Download rootkits and passwords into a new directory

: C

411 ( Topic 15) WEP is used on 802.11 networks, what was it designed for? A. WEP is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what it usually expected of a wired LAN. B. WEP is designed to provide strong encryption to a wireless local area network (WLAN) with a lever of integrity and privacy adequate for sensible but unclassified information. C. WEP is designed to provide a wireless local area network (WLAN) with a level of availability and privacy comparable to what is usually expected of a wired LAN. D. WEOP is designed to provide a wireless local area network (WLAN) with a level of privacy comparable to what it usually expected of a wired LAN.

: A Explanation: WEP was intended to provide comparable confidentiality to a traditional wired network (in particular it does not protect users of the network from each other), hence WEP key - can be cracked with readily available software in two minutes or less and WEP was superseded by Wi-Fi Protected Access (WPA) in 2003, and then by the full IEEE 802.11i standard (also known as WPA2) in 2004.

432 ( Topic 17) Samuel is high school teenager who lives in Modesto California. Samuel is a straight A student who really likes tinkering around with computers and other types of electronic devices. Samuel just received a new laptop for his birthday and has been configuring it ever since. While tweaking the registry, Samuel notices a pop up at the bottom of his screen stating that his computer was now connected to a wireless network. All of a sudden, he was able to get online and surf the Internet. Samuel did some quick research and was able to gain access to the wireless router he was connecting to and see al of its settings? Being able to hop onto someone elses wireless network so easily fascinated Samuel so he began doing more and more research on wireless technologies and how to exploit them. The next day Samuels fried said that he could drive around all over town and pick up hundred of wireless networks. This really excited Samuel so they got into his friends car and drove around the city seeing which networks they could connect to and which ones they could not. What has Samuel and his friend just performed? A. Wardriving B. Warwalking C. Warchalking D. Webdriving

: A Explanation: Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle using a Wi-Fi-equipped computer, such as a laptop or a PDA, to detect the networks. It was also known (as of 2002) as "WiLDing" (Wireless Lan Driving, although this term never gained any popularity and is no longer used), originating in the San Francisco Bay Area with the Bay Area Wireless Users Group (BAWUG). It is similar to using a scanner for radio.

475 ( Topic 19) Which of the following countermeasure can specifically protect against both the MAC Flood and MAC Spoofing attacks? A. Port Security B. Switch Mapping C. Port Reconfiguring D. Multiple Recognition

: A Explanation: With Port Security the switch will keep track of which ports are allowed to send traffic on a port.

410 ( Topic 15) Paul has just finished setting up his wireless network. He has enabled numerous security features such as changing the default SSID, enabling WPA encryption and enabling MAC filtering on hi wireless router. Paul notices when he uses his wireless connection, the speed is sometimes 54 Mbps and sometimes it is only 24mbps or less. Paul connects to his wireless routers management utility and notices that a machine with an unfamiliar name is connected through his wireless connection. Paul checks the routers logs and notices that the unfamiliar machine has the same MAC address as his laptop. What is Paul seeing here? A. MAC Spoofing B. Macof C. ARP Spoofing D. DNS Spoofing

: A Explanation: You can fool MAC filtering by spoofing your MAC address and pretending to have some other computers MAC address.

437 ( Topic 18) Jims organization has just completed a major Linux roll out and now all of the organizations systems are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ. Which built-in functionality of Linux can achieve this? A. IP Tables B. IP Chains C. IP Sniffer D. IP ICMP

: A Explanation: iptables is a user space application program that allows a system administrator to configure the netfilter tables, chains, and rules (described above). Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /sbin/iptables. IP Tables performs stateful inspection while the older IP Chains only performs stateless inspection.

468 ( Topic 19) If you come across a sheepdip machaine at your client site, what would you infer? A. A sheepdip computer is used only for virus checking. B. A sheepdip computer is another name for honeypop. C. A sheepdip coordinates several honeypots. D. A sheepdip computer defers a denial of service attack.

: A , a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.

484 ( Topic 19) If you come across a sheepdip machine at your clients site, what should you do? A. A sheepdip computer is used only for virus-checking. B. A sheepdip computer is another name for a honeypot C. A sheepdip coordinates several honeypots. D. A sheepdip computers defers a denial of service attack.

: A , a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.

488 ( Topic 19) What makes web application vulnerabilities so aggravating? (Choose two) A. They can be launched through an authorized port. B. A firewall will not stop them. C. They exist only on the Linux platform. D. They are detectable by most leading antivirus software.

: A,B Explanation: As the vulnerabilities exists on a web server, incoming traffic on port 80 will probably be allowed and no firewall rules will stop the attack.

412 ( Topic 15) Which of the following wireless technologies can be detected by NetStumbler? (Select all that apply) A. 802.11b B. 802.11e C. 802.11a D. 802.11g E. 802.11

: A,C,D Explanation: If you check the website, cards for all three (A, B, G) are supported. See: http://www.stumbler.net/

428 ( Topic 16) Which are true statements concerning the BugBear and Pretty Park worms? Select the best answers. A. Both programs use email to do their work. B. Pretty Park propagates via network shares and email C. BugBear propagates via network shares and email D. Pretty Park tries to connect to an IRC server to send your personal passwords. E. Pretty Park can terminate anti-virus applications that might be running to bypass them.

: A,C,D Explanation: Explanations: Both Pretty Park and BugBear use email to spread. Pretty Park cannot propagate via network shares, only email. BugBear propagates via network shares and email. It also terminates anti-virus applications and acts as a backdoor server for someone to get into the infected machine. Pretty Park tries to connect to an IRC server to send your personal passwords and all sorts of other information it retrieves from your PC. Pretty Park cannot terminate anti-virus applications. However, BugBear can terminate AV software so that it can bypass them.

449 ( Topic 18) Several of your co-workers are having a discussion over the etc/passwd file. They are at odds over what types of encryption are used to secure Linux passwords.(Choose all that apply. A. Linux passwords can be encrypted with MD5 B. Linux passwords can be encrypted with SHA C. Linux passwords can be encrypted with DES D. Linux passwords can be encrypted with Blowfish E. Linux passwords are encrypted with asymmetric algrothims

: A,C,D Explanation: Linux passwords are enrcypted using MD5, DES, and the NEW addition Blowfish. The default on most linux systems is dependant on the distribution, RedHat uses MD5, while slackware uses DES. The blowfish option is there for those who wish to use it. The encryption algorithm in use can be determined by authconfig on RedHat-based systems, or by reviewing one of two locations, on PAM-based systems (Pluggable Authentication Module) it can be found in /etc/pam.d/, the system-auth file or authconfig files. In other systems it can be found in /etc/security/ directory.

421 ( Topic 15) Bob reads an article about how insecure wireless networks can be. He gets approval from his management to implement a policy of not allowing any wireless devices on the network. What other steps does Bob have to take in order to successfully implement this? (Select 2 answer.) A. Train users in the new policy. B. Disable all wireless protocols at the firewall. C. Disable SNMP on the network so that wireless devices cannot be configured. D. Continuously survey the area for wireless devices.

: A,D Explanation: If someone installs a access point and connect it to the network there is no way to find it unless you are constantly surveying the area for wireless devices. SNMP and firewalls can not prevent the installation of wireless devices on the corporate network.

447 ( Topic 18) Rebecca is a security analyst and knows of a local root exploit that has the ability to enable local users to use available exploits to gain root privileges. This vulnerability exploits a condition in the Linux kernel within the execve() system call. There is no known workaround that exists for this vulnerability. What is the correct action to be taken by Rebecca in this situation as a recommendation to management? A. Rebecca should make a recommendation to disable the () system call B. Rebecca should make a recommendation to upgrade the Linux kernel promptly C. Rebecca should make a recommendation to set all child-process to sleep within the execve() D. Rebecca should make a recommendation to hire more system administrators to monitor all child processes to ensure that each child process can't elevate privilege

: B

456 ( Topic 18) Bob is a Junior Administrator at ABC Company. On One of Linux machine he entered the following firewall rules: Why he entered the above line? A. To accept the Telnet connection B. To deny the Telnet connection C. The accept all connection except telnet connection D. None of Above

: B Explanation: -t, --table This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there. The tables are as follows: filter This is the default table, and contains the built-in chains INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat This table is consulted when a packet which is creates a new connection is encountered. It consists of three built- ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). mangle This table is used for specialized packet alteration. It has two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). -A, --append Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. , or it can be a numeric value, representing one of these protocols or a different one. Also a protocol name from /etc/protocols is allowed. A "!" argument before will match may not be used in in combination with the check command. ] Destination port or port range specification. The flag --dport is an alias for this option. This specifies the target of the rule; ie. what to do if the packet matches it. The target can be a user-defined chain (not the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule, then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.

413 ( Topic 15) Matthew re-injects a captured wireless packet back onto the network. He does this hundreds of times within a second. The packet is correctly encrypted and Matthew assumes it is an ARP request packet. The wireless host responds with a stream of responses, all individually encrypted with different IVs. What is this attack most appropriately called? A. Spoof Attack B. Replay Attack C. Inject Attack D. Rebound Attack

: B Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it.

427 ( Topic 16) Which of the following is one of the key features found in a worm but not seen in a virus? A. The payload is very small, usually below 800 bytes. B. It is self replicating without need for user intervention. C. It does not have the ability to propagate on its own. D. All of them cannot be detected by virus scanners.

: B Explanation: A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided.

420 ( Topic 15) In an attempt to secure his wireless network, Bob turns off broadcasting of the SSID. He concludes that since his access points require the client computer to have the proper SSID, it would prevent others from connecting to the wireless network. Unfortunately unauthorized users are still able to connect to the wireless network. Why do you think this is possible? A. Bob forgot to turn off DHCP. B. All access points are shipped with a default SSID. C. The SSID is still sent inside both client and AP packets. D. Bob's solution only works in ad-hoc mode.

: B Explanation: All access points are shipped with a default SSID unique to that manufacturer, for example 3com uses the default ssid comcomcom.

407 ( Topic 15) In an attempt to secure his wireless network, Bob implements a VPN to cover the wireless communications. Immediately after the implementation, users begin complaining about how slow the wireless network is. After benchmarking the networks speed. Bob discovers that throughput has dropped by almost half even though the number of users has remained the same. Why does this happen in the VPN over wireless implementation? A. The stronger encryption used by the VPN slows down the network. B. Using a VPN with wireless doubles the overhead on an access point for all direct client to access point communications. C. VPNs use larger packets then wireless networks normally do. D. Using a VPN on wireless automatically enables WEP, which causes additional overhead.

: B Explanation: By applying VPN the access point will have to recalculate all headers destined for client and from clients twice.

439 ( Topic 18) John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the logfiles to investigate the attack. Take a look at the following Linux logfile snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here? [root@apollo /]# rm rootkit.c [root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm - rf /root/.bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd 359 ? 00:00:00 inetd rm: cannot remove `/tmp/h': No such file or directory rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory [root@apollo /]# ps -aux | grep portmap [root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd rm: cannot remove `/sbin/portmap': No such file or directory rm: cannot remove `/tmp/h': No such file or directory >rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory [root@apollo /]# rm: cannot remove `/sbin/portmap': No such file or directory A. The hacker is planting a rootkit B. The hacker is trying to cover his tracks C. The hacker is running a buffer overflow exploit to lock down the system D. The hacker is attempting to compromise more machines on the network

: B Explanation: By deleting temporary directories and emptying like bash_history that contains the last commands used with the bash shell he is trying to cover his tracks.

464 ( Topic 19) ETHER: Destination address : 0000BA5EBA11 ETHER: Source address : 00A0C9B05EBD ETHER: Frame Length : 1514 (0x05EA) ETHER: Ethernet Type : 0x0800 (IP) IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal Reliability IP: Total Length = 1500 (0x5DC) IP: Identification = 7652 (0x1DE4) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = (0x0) bytes IP: Time to Live = 127 (0x7F) IP: Protocol = TCP - Transmission Control IP: Checksum = 0xC26D IP: Source Address = 10.0.0.2 IP: Destination Address = 10.0.1.201 TCP: Source Port = Hypertext Transfer Protocol TCP: Destination Port = 0x1A0B TCP: Sequence Number = 97517760 (0x5D000C0) TCP: Acknowledgement Number = 78544373 (0x4AE7DF5) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x10 : .A.... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....0... = No Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 28793 (0x7079) TCP: Checksum = 0x8F27 TCP: Urgent Pointer = 0 (0x0) An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application? A. Create a SYN flood B. Create a network tunnel C. Create multiple false positives D. Create a ping flood

: B Explanation: Certain types of encryption presents challenges to network-based intrusion detection and may leave the IDS blind to certain attacks, where a host-based IDS analyzes the data after it has been decrypted.

443 ( Topic 18) What is Cygwin? A. Cygwin is a free C++ compiler that runs on Windows B. Cygwin is a free Unix subsystem that runs on top of Windows C. Cygwin is a free Windows subsystem that runs on top of Linux D. Cygwin is a X Windows GUI subsytem that runs on top of Linux GNOME environment

: B Explanation: Cygwin is a Linux-like environment for Windows. It consists of two parts: A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API functionality. A collection of tools which provide Linux look and feel. The Cygwin DLL works with all non-beta, non "release candidate", ix86 32 bit versions of Windows since Windows 95, with the exception of Windows CE.

452 ( Topic 18) Peter is a Linux network admin. As a knowledgeable security consultant, he turns to you to look for help on a firewall. He wants to use Linux as his firewall and use the latest freely available version that is offered. What do you recommend? Select the best answer. A. Ipchains B. Iptables C. Checkpoint FW for Linux D. Ipfwadm

: B Explanation: Explanations: Ipchains was improved over ipfwadm with its chaining mechanism so that it can have multiple rulesets. However, it isn't the latest version of a free Linux firewall. Iptables replaced ipchains and is the latest of the free Linux firewall tools. Any Checkpoint firewall is not going to meet Jason's desire to have a free firewall. Ipfwadm is used to build Linux firewall rules prior to 2.2.0. It is a outdated version.

480 ( Topic 19) You are attempting to map out the firewall policy for an organization. You discover your target system is one hop beyond the firewall. Using hping2, you send SYN packets with the exact TTL of the target system starting at port 1 and going up to port 1024. What is this process known as? A. Footprinting B. Firewalking C. Enumeration D. Idle scanning

: B Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attackers host to a destination host through a packet-filtering device. This technique can be used to map open or pass through ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.

500 ( Topic 19) You may be able to identify the IP addresses and machine names for the firewall, and the names of internal mail servers by: A. Sending a mail message to a valid address on the target network, and examining the header information generated by the IMAP servers B. Examining the SMTP header information generated by using the mx command parameter of DIG C. Examining the SMTP header information generated in response to an e-mail message sent to an invalid address D. Sending a mail message to an invalid address on the target network, and examining the header information generated by the POP servers

: C

496 ( Topic 19) To scan a host downstream from a security gateway, Firewalking: A. Sends a UDP-based packet that it knows will be blocked by the firewall to determine how specifically the firewall responds to such packets B. Uses the TTL function to send packets with a TTL value set to expire one hop past the identified security gateway C. Sends an ICMP ''administratively prohibited'' packet to determine if the gateway will drop the packet without comment. D. Assesses the security rules that relate to the target system before it sends packets to any hops on the route to the gateway

: B Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attackers host to a destination host through a packet-filtering device. This technique can be used to map open or pass through ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.

404 ( Topic 15) On wireless networks, a SSID is used to identify the network. Why are SSID not considered to be a good security mechanism to protect a wireless network? A. The SSID is only 32 bits in length B. The SSID is transmitted in clear text C. The SSID is to identify a station not a network D. The SSID is the same as the MAC address for all vendors

: B Explanation: The use of SSIDs is a fairly weak form of security, because most access points broadcast the SSID, in clear text, multiple times per second within the body of each beacon frame. A hacker can easily use an 802.11 analysis tool (e.g., AirMagnet, Netstumbler, or AiroPeek) to identify the SSID.

462 ( Topic 19) What do you conclude from the nmap results below? Staring nmap V. 3.10ALPHA0 (www.insecure.org/map/) (The 1592 ports scanned but not shown below are in state: closed) PortStateService - 21/tcpopenftp 25/tcpopensmtp 80/tcpopenhttp 443/tcpopenhttps Remote operating system guess: Too many signatures match the reliability guess the OS. Nmap run completed 1 IP address (1 host up) scanned in 91.66 seconds A. The system is a Windows Domain Controller. B. The system is not firewalled. C. The system is not running Linux or Solaris. D. The system is not properly patched.

: B Explanation: There is no reports of any ports being filtered.

424 ( Topic 16) The Slammer Worm exploits a stack-based overflow that occurs in a DLL implementing the Resolution Service. Which of the following Database Server was targeted by the slammer worm? A. Oracle B. MSSQL C. MySQL D. Sybase E. DB2

: B Explanation: W32.Slammer is a memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in SQL Server 2000 systems and systems with MSDE 2000 that have not applied the patch released by Microsoft Security Bulletin MS02-039.

454 ( Topic 18) WinDump is a popular sniffer which results from the porting to Windows of TcpDump for Linux. What library does it use ? A. LibPcap B. WinPcap C. Wincap D. None of the above

: B Explanation: WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

491 ( Topic 19) Once an intruder has gained access to a remote system with a valid username and password, the attacker will attempt to increase his privileges by escalating the used account to one that has increased privileges. such as that of an administrator. What would be the best countermeasure to protect against escalation of priveges? A. Give users tokens B. Give user the least amount of privileges C. Give users two passwords D. Give users a strong policy document

: B Explanation: With less privileges it is harder to increase the privileges.

451 ( Topic 18) Rebecca has noted multiple entries in her logs about users attempting to connect on ports that are either not opened or ports that are not for public usage. How can she restrict this type of abuse by limiting access to only specific IP addresses that are trusted by using one of the built-in Linux Operating System tools? A. Ensure all files have at least a 755 or more restrictive permissions. B. Configure rules using ipchains. C. Configure and enable portsentry on his server. D. Install an intrusion detection system on her computer such as Snort.

: B Explanation: ipchains is a free software based firewall for Linux. It is a rewrite of Linux's previous IPv4 firewalling code, ipfwadm. In Linux 2.2, ipchains is required to administer the IP packet filters. ipchains was written because the older IPv4 firewall code used in Linux 2.0 did not work with IP fragments and didn't allow for specification of protocols other than TCP, UDP, and ICMP.

445 ( Topic 18) On a backdoored Linux box there is a possibility that legitimate programs are modified or trojaned. How is it possible to list processes and uids associated with them in a more reliable manner? A. Use "Is" B. Use "lsof" C. Use "echo" D. Use "netstat"

: B Explanation: lsof is a command used in many Unix-like systems that is used to report a list of all open files and the processes that opened them. It works in and supports several UNIX flavors.

472 ( Topic 19) Which of the following are potential attacks on cryptography? (Select 3) A. One-Time-Pad Attack B. Chosen-Ciphertext Attack C. Man-in-the-Middle Attack D. Known-Ciphertext Attack E. Replay Attack

: B,C,E Explanation: A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst chooses a ciphertext and causes it to be decrypted with an unknown key. Specific forms of this attack are sometimes termed "lunchtime" or "midnight" attacks, referring to a scenario in which an attacker gains access to an unattended decryption machine. In cryptography, a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims. A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).

414 ( Topic 15) Access control is often implemented through the use of MAC address filtering on wireless Access Points. Why is this considered to be a very limited security measure? A. Vendors MAC address assignment is published on the Internet. B. The MAC address is not a real random number. C. The MAC address is broadcasted and can be captured by a sniffer. D. The MAC address is used properly only on Macintosh computers.

: C

417 ( Topic 15) In order to attack wireless network, you put up an access point and override the signal of the real access point. And when users send authentication data, you are able to capture it. What kind of attack is this? A. WEP Attack B. Drive by hacking C. Rogue Access Point Attack D. Unauthorized Access Point Attack

: C Explanation: A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network management or has been created to allow a cracker to conduct a man-in-the-middle attack.

492 ( Topic 19) Exhibit - Study the log given in the exhibit, Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate? A. Disallow UDP 53 in from outside to DNS server B. Allow UDP 53 in from DNS server to outside C. Disallow TCP 53 in from secondaries or ISP server to DNS server D. Block all UDP traffic

: C Explanation: According to the exhibit, the question is regarding the DNS Zone Transfer. Since Zone Transfers are done with TCP port 53, you should not allow this connect external to you organization.

425 ( Topic 16) What are the main drawbacks for anti-virus software? A. AV software is difficult to keep up to the current revisions. B. AV software can detect viruses but can take no action. C. AV software is signature driven so new exploits are not detected. D. Its relatively easy for an attacker to change the anatomy of an attack to bypass AV systems E. AV software isn't available on all major operating systems platforms. F. AV software is very machine (hardware) dependent.

: C Explanation: Although there are functions like heuristic scanning and sandbox technology, the Antivirus program is still mainly depending of signature databases and can only find already known viruses.

493 ( Topic 19) SSL has been as the solution to a lot of common security problems. Administrator will often time make use of SSL to encrypt communications from points A to Point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between Point A to Point B? A. SSL is redundant if you already have IDS's in place B. SSL will trigger rules at regular interval and force the administrator to turn them off C. SSL will make the content of the packet and Intrusion Detection System are blinded D. SSL will slow down the IDS while it is breaking the encryption to see the packet content

: C Explanation: An IDS will not be able to evaluate the content in the packets if it is encrypted.

487 ( Topic 19) An Evil Cracker is attempting to penetrate your private network security. To do this, he must not be seen by your IDS, as it may take action to stop him. What tool might he use to bypass the IDS? Select the best answer. A. Firewalk B. Manhunt C. Fragrouter D. Fragids

: C Explanation: Explanations: Firewalking is a way to disguise a portscan. Thus, firewalking is not a tool, but a method of conducting a port scan in which it can be hidden from some firewalls. Synamtec Man-Hunt is an IDS, not a tool to evade an IDS. Fragrouter is a tool that can take IP traffic and fragment it into multiple pieces. There is a legitimate reason that fragmentation is done, but it is also a technique that can help an attacker to evade detection while Fragids is a made-up tool and does not exist.

416 ( Topic 15) Sally is a network admin for a small company. She was asked to install wireless accesspoints in the building. In looking at the specifications for the access-points, she sees that all of them offer WEP. Which of these are true about WEP? Select the best answer. A. Stands for Wireless Encryption Protocol B. It makes a WLAN as secure as a LAN C. Stands for Wired Equivalent Privacy D. It offers end to end security

: C Explanation: Explanations: WEP is intended to make a WLAN as secure as a LAN but because a WLAN is not constrained by wired, this makes access much easier. Also, WEP has flaws that make it less secure than was once thought.WEP does not offer end-to-end security. It only attempts to protect the wireless portion of the network.

419 ( Topic 15) Jackson discovers that the wireless AP transmits 128 bytes of plaintext, and the station responds by encrypting the plaintext. It then transmits the resulting ciphertext using the same key and cipher that are used by WEP to encrypt subsequent network traffic. What authentication mechanism is being followed here? A. no authentication B. single key authentication C. shared key authentication D. open system authentication

: C Explanation: Explantion: The following picture shows how the WEP authentication procedure:

490 ( Topic 19) What is the tool Firewalk used for? A. To test the IDS for proper operation B. To test a firewall for proper operation C. To determine what rules are in place for a firewall D. To test the webserver configuration E. Firewalk is a firewall auto configuration tool

: C Explanation: Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device "firewall" will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets and no response will be returned.

481 ( Topic 19) Why would an ethical hacker use the technique of firewalking? A. It is a technique used to discover wireless network on foot. B. It is a technique used to map routers on a network link. C. It is a technique used to discover the nature of rules configured on a gateway. D. It is a technique used to discover interfaces in promiscuous mode.

: C Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attackers host to a destination host through a packet-filtering device. This technique can be used to map open or pass through ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.

476 ( Topic 19) An Employee wants to bypass detection by a network-based IDS application and does not want to attack the system containing the IDS application. Which of the following strategies can the employee use to evade detection by the network based IDS application? A. Create a ping flood B. Create a SYN flood C. Create a covert network tunnel D. Create multiple false positives

: C Explanation: HTTP Tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol, the network protocols in question usually belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a covert channel that the network protocol being tunneled uses to communicate. The HTTP stream with its covert channel is termed a HTTP Tunnel. Very few firewalls blocks outgoing HTTP traffic.

453 ( Topic 18) After studying the following log entries, how many user IDs can you identify that the attacker has tampered with? 1. mkdir -p /etc/X11/applnk/Internet/.etc 2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd 3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd 4. touch -acmr /etc /etc/X11/applnk/Internet/.etc 5. passwd nobody -d 6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash 7. passwd dns -d 8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd 9. touch -acmr /etc/X11/applnk/Internet/.etc /etc A. IUSR_ B. acmr, dns C. nobody, dns D. nobody, IUSR_

: C Explanation: Passwd is the command used to modify a user password and it has been used together with the usernames nobody and dns.

403 ( Topic 15) Why do you need to capture five to ten million packets in order to crack WEP with AirSnort? A. All IVs are vulnerable to attack B. Air Snort uses a cache of packets C. Air Snort implements the FMS attack and only encrypted packets are counted D. A majority of weak IVs transmitted by access points and wireless cards are not filtered by contemporary wireless manufacturers

: C Explanation: Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few tools, AirSnort perhaps the most famous, that implement the Fluhrer-Mantin-Shamir (FMS) attack were released to the security community -- who until then were aware of the problems with WEP but did not have practical penetration testing tools. Although simple to use, these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site estimates the total number of packets at five to ten million, but the number actually required may be higher than you think.

457 ( Topic 18) You have just installed a new Linux file server at your office. This server is going to be used by several individuals in the organization, and unauthorized personnel must not be able to modify any data. What kind of program can you use to track changes to files on the server? A. Network Based IDS (NIDS) B. Personal Firewall C. System Integrity Verifier (SIV) D. Linux IP Chains

: C Explanation: System Integrity Verifiers like Tripwire aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.

422 ( Topic 15) Which of the following is NOT a reason 802.11 WEP encryption is vulnerable? A. There is no mutual authentication between wireless clients and access points B. Automated tools like AirSnort are available to discover WEP keys C. The standard does not provide for centralized key management D. The 24 bit Initialization Vector (IV) field is too small

: C Explanation: The lack of centralized key management in itself is not a reason that the WEP encryption is vulnerable, it is the people setting the user shared key that makes it unsecure. Topic 16, Virus and Worms -

450 ( Topic 18) Joe the Hacker breaks into companys Linux system and plants a wiretap program in order to sniff passwords and user accounts off the wire. The wiretap program is embedded as a Trojan horse in one of the network utilities. Joe is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode. Running ifconfig a will produce the following: # ifconfig a 1o0: flags=848<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232 inet 127.0.0.1 netmask ff000000hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST> mtu 1500 inet 192.0.2.99 netmask ffffff00 broadcast 134.5.2.255 ether 8:0:20:9c:a2:35 What can Joe do to hide the wiretap program from being detected by ifconfig command? A. Block output to the console whenever the user runs ifconfig command by running screen capture utiliyu B. Run the wiretap program in stealth mode from being detected by the ifconfig command. C. Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information being displayed on the console. D. You cannot disable Promiscuous mode detection on Linux systems.

: C Explanation: The normal way to hide these rogue programs running on systems is the use crafted commands like ifconfig and ls.

441 ( Topic 18) is the windows port of the famous TCPDump packet sniffer available on a variety of platforms. In order to use this tool on the Windows platform you must install a packet capture library. What is the name of this library? A. NTPCAP B. LibPCAP C. WinPCAP D. PCAP

: C Explanation: WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

455 ( Topic 18) Jims Organization just completed a major Linux roll out and now all of the organizations systems are running Linux 2.5 Kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ, which built-in functionality of Linux can achieve this? A. IP ICMP B. IP Sniffer C. IP tables D. IP Chains

: C Explanation: iptables is the name of the user space tool by which administrators create rules for the packet filtering and NAT modules. While technically iptables is merely the tool which controls the packet filtering and NAT components within the kernel, the name is often used to refer to the entire infrastructure, including netfilter, connection tracking and NAT, as well as the tool itself. iptables is a standard part of all modern Linux distributions.

495 ( Topic 19) What is a sheepdip? A. It is another name for Honeynet B. It is a machine used to coordinate honeynets C. It is the process of checking physical media for virus before they are used in a computer D. None of the above -

: C , a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.

405 ( Topic 15) In an attempt to secure his 802.11b wireless network, Ulf decides to use a strategic antenna positioning. He places the antenna for the access points near the center of the building. For those access points near the outer edge of the building he uses semi-directional antennas that face towards the buildings center. There is a large parking lot and outlying filed surrounding the building that extends out half a mile around the building. Ulf figures that with this and his placement of antennas, his wireless network will be safe from attack. Which of the following statements is true? A. With the 300 feet limit of a wireless signal, Ulf's network is safe. B. Wireless signals can be detected from miles away, Ulf's network is not safe. C. Ulf's network will be safe but only of he doesn't switch to 802.11a. D. Ulf's network will not be safe until he also enables WEP.

: D

486 ( Topic 19) A program that defends against a port scanner will attempt to: A. Sends back bogus data to the port scanner B. Log a violation and recommend use of security-auditing tools C. Limit access by the scanning system to publicly available ports only D. Update a firewall rule in real time to prevent the port scan from being completed

: D

401 ( Topic 15) Sandra is conducting a penetration test for ABC.com. She knows that ABC.com is using wireless networking for some of the offices in the building right down the street. Through social engineering she discovers that they are using 802.11g. Sandra knows that 802.11g uses the same 2.4GHz frequency range as 802.11b. Using NetStumbler and her 802.11b wireless NIC, Sandra drives over to the building to map the wireless networks. However, even though she repositions herself around the building several times, Sandra is not able to detect a single AP. What do you think is the reason behind this? A. Netstumbler does not work against 802.11g. B. You can only pick up 802.11g signals with 802.11a wireless cards. C. The access points probably have WEP enabled so they cannot be detected. D. The access points probably have disabled broadcasting of the SSID so they cannot be detected. E. 802.11g uses OFDM while 802.11b uses DSSS so despite the same frequency and 802.11b card cannot see an 802.11g signal. F. Sandra must be doing something wrong, as there is no reason for her to not see the signals.

: D Explanation: Netstumbler can not detect networks that do not respond to broadcast requests.

463 ( Topic 19) Eric notices repeated probes to port 1080. He learns that the protocol being used is designed to allow a host outside of a firewall to connect transparently and securely through the firewall. He wonders if his firewall has been breached. What would be your inference? A. Eric network has been penetrated by a firewall breach B. The attacker is using the ICMP protocol to have a covert channel C. Eric has a Wingate package providing FTP redirection on his network D. Somebody is using SOCKS on the network to communicate through the firewall

: D Explanation: Port Description: SOCKS. SOCKS port, used to support outbound tcp services (FTP, HTTP, etc). Vulnerable similar to FTP Bounce, in that attacker can connect to this port and \bounce\ out to another internal host. Done to either reach a protected internal host or mask true source of attack. Listen for connection attempts to this port -- good sign of port scans, SOCKS-probes, or bounce attacks. Also a means to access restricted resources. Example: Bouncing off a MILNET gateway SOCKS port allows attacker to access web sites, etc. that were restricted only to.mil domain hosts.

446 ( Topic 18) Ron has configured his network to provide strong perimeter security. As part of his network architecture, he has included a host that is fully exposed to attack. The system is on the public side of the demilitarized zone, unprotected by a firewall or filtering router. What would you call such a host? A. Honeypot B. DMZ host C. DWZ host D. Bastion Host

: D Explanation: A bastion host is a gateway between an inside network and an outside network. Used as a security measure, the bastion host is designed to defend against attacks aimed at the inside network. Depending on a network's complexity and configuration, a single bastion host may stand guard by itself, or be part of a larger security system with different layers of protection.

494 ( Topic 19) Basically, there are two approaches to network intrusion detection: signature detection, and anomaly detection. The signature detection approach utilizes well- known signatures for network traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previous history of network traffic to search for patterns that are abnormal, which would indicate an intrusion. How can an attacker disguise his buffer overflow attack signature such that there is a greater probability of his attack going undetected by the IDS? A. He can use a shellcode that will perform a reverse telnet back to his machine B. He can use a dynamic return address to overwrite the correct value in the target machine computer memory C. He can chain NOOP instructions into a NOOP "sled" that advances the processor's instruction pointer to a random place of choice D. He can use polymorphic shell code-with a tool such as ADMmutate - to change the signature of his exploit as seen by a network IDS

: D Explanation: ADMmutate is using a polymorphic technique designed to circumvent certain forms of signature based intrusion detection. All network based remote buffer overflow exploits have similarities in how they function. ADMmutate has the ability to emulate the protocol of the service the attacker is attempting to exploit. The data payload (sometimes referred to as an egg) contains the instructions the attacker wants to execute on the target machine. These eggs are generally interchangeable and can be utilized in many different buffer overflow exploits. ADMmutate uses several techniques to randomize the contents of the egg in any given buffer overflow exploit. This randomization effectively changes the content or 'signature' of the exploit without changing the functionality of the exploit.

430 ( Topic 16) June, a security analyst, understands that a polymorphic virus has the ability to mutate and can change its known viral signature and hide from signature-based antivirus programs. Can June use an antivirus program in this case and would it be effective against a polymorphic virus? A. No. June can't use an antivirus program since it compares the size of executable files to the database of known viral signatures and it is effective on a polymorphic virus B. Yes. June can use an antivirus program since it compares the parity bit of executable files to the database of known check sum counts and it is effective on a polymorphic virus C. Yes. June can use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and it is very effective against a polymorphic virus D. No. June can't use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and in the case the polymorphic viruses cannot be detected by a signature-based anti-virus program

: D Explanation: Although there are functions like heuristic scanning and sandbox technology, the Antivirus program is still mainly depending of signature databases and can only find already known viruses.

418 ( Topic 15) RC4 is known to be a good stream generator. RC4 is used within the WEP standard on wireless LAN. WEP is known to be insecure even if we are using a stream cipher that is known to be secured. What is the most likely cause behind this? A. There are some flaws in the implementation. B. There is no key management. C. The IV range is too small. D. All of the above. E. None of the above.

: D Explanation: Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets. Many WEP systems require a key in hexadecimal format. Some users choose keys that Such keys are often easily guessed.

483 ( Topic 19) What is a primary advantage a hacker gains by using encryption or programs such as Loki? A. It allows an easy way to gain administrator rights B. It is effective against Windows computers C. It slows down the effective response of an IDS D. IDS systems are unable to decrypt it E. Traffic will not be modified in transit

: D Explanation: Because the traffic is encrypted, an IDS cannot understand it or evaluate the payload.

415 ( Topic 15) Derek has stumbled upon a wireless network and wants to assess its security. However, he does not find enough traffic for a good capture. He intends to use AirSnort on the captured traffic to crack the WEP key and does not know the IP address range or the AP. How can he generate traffic on the network so that he can capture enough packets to crack the WEP key? A. Use any ARP requests found in the capture B. Derek can use a session replay on the packets captured C. Derek can use KisMAC as it needs two USB devices to generate traffic D. Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic

: D Explanation: By forcing the network to answer to a lot of ICMP messages you can gather enough packets to crack the WEP key.

466 ( Topic 19) What is the purpose of firewalking? A. It's a technique used to discover Wireless network on foot B. It's a technique used to map routers on a network link C. It's a technique used to discover interface in promiscuous mode D. It's a technique used to discover what rules are configured on a gateway

: D Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attackers host to a destination host through a packet-filtering device. This technique can be used to map open or pass through ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.

459 ( Topic 19) While scanning a network you observe that all of the web servers in the DMZ are responding to ACK packets on port 80. What can you infer from this observation? A. They are using Windows based web servers. B. They are using UNIX based web servers. C. They are not using an intrusion detection system. D. They are not using a stateful inspection firewall.

: D Explanation: If they used a stateful inspection firewall this firewall would know if there has been a SYN-ACK before the ACK.

499 ( Topic 19) All the web servers in the DMZ respond to ACK scan on port 80. Why is this happening ? A. They are all Windows based webserver B. They are all Unix based webserver C. The company is not using IDS D. The company is not using a stateful firewall

: D Explanation: If they used a stateful inspection firewall this firewall would know if there has been a SYN-ACK before the ACK.

461 ( Topic 19) You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this? A. Block TCP at the firewall B. Block UDP at the firewall C. Block ICMP at the firewall D. There is no way to completely block tracerouting into this area

: D Explanation: If you create rules that prevents attackers to perform traceroutes to your DMZ then youll also prevent anyone from accessing the DMZ from outside the company network and in that case it is not a DMZ you have.

436 ( Topic 17) In an attempt to secure his 802.11b wireless network, Bob decides to use strategic antenna positioning. He places the antenna for the access point near the center of the building. For those access points near the outer edge of the building he uses semi-directional antennas that face towards the buildings center. There is a large parking lot and outlying filed surrounding the building that extends out half a mile around the building. Bob figures that with this and his placement of antennas, his wireless network will be safe from attack. Which of he following statements is true? A. Bob's network will not be safe until he also enables WEP B. With the 300-foot limit of a wireless signal, Bob's network is safe C. Bob's network will be sage but only if he doesn't switch to 802.11a D. Wireless signals can be detected from miles away; Bob's network is not safe

: D Explanation: Its all depending on the capacity of the antenna that a potential hacker will use in order to gain access to the wireless net. Topic 18, Linux Hacking -

448 ( Topic 18) John is discussing security with Jane. Jane had mentioned to John earlier that she suspects an LKM has been installed on her server. She believes this is the reason that the server has been acting erratically lately. LKM stands for Loadable Kernel Module. What does this mean in the context of Linux Security? A. Loadable Kernel Modules are a mechanism for adding functionality to a file system without requiring a kernel recompilation. B. Loadable Kernel Modules are a mechanism for adding functionality to an operating- system kernel after it has been recompiled and the system rebooted. C. Loadable Kernel Modules are a mechanism for adding auditing to an operating-system kernel without requiring a kernel recompilation. D. Loadable Kernel Modules are a mechanism for adding functionality to an operating- system kernel without requiring a kernel recompilation.

: D Explanation: Loadable Kernel Modules, or LKM, are object files that contain code to without the need of a kernel recompilation. Operating systems other than Linux, such as BSD systems, also provide support for LKM's. However, the Linux kernel generally makes far greater and more versatile use of LKM's than other systems. LKM's are typically used to add support for new hardware, filesystems or for adding system calls. When the functionality provided by an LKM is no longer required, it can be unloaded, freeing memory.

409 ( Topic 15) Study the snort rule given below and interpret the rule. alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";) A. An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet B. An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet C. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111 D. An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

: D Explanation: Refer to the online documentation on creating Snort rules at http://snort.org/docs/snort_htmanuals/htmanual_261/node147.html

431 ( Topic 16) Melissa is a virus that attacks Microsoft Windows platforms. To which category does this virus belong? A. Polymorphic B. Boot Sector infector C. System D. Macro

: D Explanation: The Melissa macro virus propagates in the form of an email message containing an infected Word document as an attachment. Topic 17, Physical Security -

429 ( Topic 16) You find the following entries in your web log. Each shows attempted access to either root.exe or cmd.exe. What caused this? GET /scripts/root.exe?/c+dir - GET /MSADC/root.exe?/c+dir - GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET - /msadc/..%5c../..%5c../..%5c/..xc1x1c../..xc1x1c../..xc1x1c../winnt/system32/cmd.exe?/c+di GET /scripts/..xc1x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir A. The Morris worm B. The PIF virus C. Trinoo D. Nimda E. Code Red F. Ping of Death

: D Explanation: The Nimda worm modifies all web content files it finds. As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby, infecting the browsing system. The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines and allow intruders the ability to execute arbitrary commands within the Local System security context on machines running the unpatched versions of IIS.

479 ( Topic 19) Exhibit: Given the following extract from the snort log on a honeypot, what do you infer from the attack? A. A new port was opened B. A new user id was created C. The exploit was successful D. The exploit was not successful

: D Explanation: The attacker submits a PASS to the honeypot and receives a login incorrect before disconnecting.

406 ( Topic 15) While probing an organization you discover that they have a wireless network. From your attempts to connect to the WLAN you determine that they have deployed MAC filtering by using ACL on the access points. What would be the easiest way to circumvent and communicate on the WLAN? A. Attempt to crack the WEP key using Airsnort. B. Attempt to brute force the access point and update or delete the MAC ACL. C. Steel a client computer and use it to access the wireless network. D. Sniff traffic if the WLAN and spoof your MAC address to one that you captured.

: D Explanation: The easiest way to gain access to the WLAN would be to spoof your MAC address to one that already exists on the network.

460 ( Topic 19) You have discovered that an employee has attached a modem to his telephone line and workstation. He has used this modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. What can you do to solve this problem? A. Install a network-based IDS B. Reconfigure the firewall C. Conduct a needs analysis D. Enforce your security policy

: D Explanation: The employee was unaware of security policy.

438 ( Topic 18) Which of the following snort rules look for FTP root login attempts? A. alert tcp -> any port 21 (msg:"user root";) B. alert tcp -> any port 21 (message:"user root";) C. alert ftp -> ftp (content:"user password root";) D. alert tcp any any -> any any 21 (content:"user root";)

: D Explanation: The snort rule header is built by defining action (alert), protocol (tcp), from IP subnet port (any any), to IP subnet port (any any 21), Payload Detection Rule Options (content:user root;)

497 ( Topic 19) Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-to-date content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction? A. They are using UDP that is always authorized at the firewall B. They are using an older version of Internet Explorer that allow them to bypass the proxy server C. They have been able to compromise the firewall, modify the rules, and give themselves proper access D. They are using tunneling software that allows them to communicate with protocols in a way it was not intended

: D Explanation: This can be accomplished by, for example, tunneling the http traffic over SSH if you have a SSH server answering to your connection, you enable dynamic forwarding in the ssh client and configure Internet Explorer to use a SOCKS Proxy for network traffic.

467 ( Topic 19) During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi- million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces? A. Use a ping flood against the IP of the sniffing NIC and look for latency in the responses. B. Send your attack traffic and look for it to be dropped by the IDS. C. Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network. D. The sniffing interface cannot be detected.

: D Explanation: When a Nic is set to Promiscuous mode it just blindly takes whatever comes through to it network interface and sends it to the Application layer. This is why they are so hard to detect. Actually you could use ARP requests and Send them to every pc and the one which responds to all the requests can be identified as a NIC on Promiscuous mode and there are some very special programs that can do this for you. But considering the alternatives in the question the right answer has to be that the interface cannot be detected.

465 ( Topic 19) You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discover the internal structure of publicly accessible areas of the network. How can you achieve this? A. Block ICMP at the firewall. B. Block UDP at the firewall. C. Both A and B. D. There is no way to completely block doing a trace route into this area.

: D Explanation: When you run a traceroute to a target network address, you send a UDP packet with one time to live (TTL) to the target address. The first router this packet hits decreases the TTL to 0 and rejects the packet. Now the TTL for the packet is expired. The router sends back an ICMP message type 11 (Exceeded) code 0 (TTL--Exceeded) packet to your system with a source address. Your system displays the round-trip time for that first hop and sends out the next UDP packet with a TTL of 2.This process continues until you receive an ICMP message type 3 (Unreachable) code 3 (Port--Unreachable) from the destination system. Traceroute is completed when your machine receives a Port- Unreachable message.If you receive a message with three asterisks [* * *] during the traceroute, a router in the path doesn't return ICMP messages. Traceroute will continue to send UDP packets until the destination is reached or the maximum number of hops is exceeded.

482 ( Topic 19) Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host's TCP/IP stack allowing the NIDS to analyze traffic the host would otherwise discard. Which of the following tools allows an attacker to intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload? A. Defrag B. Tcpfrag C. Tcpdump D. Fragroute

: D Explanation: fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behaviour.

474 ( Topic 19) While examining a log report you find out that an intrusion has been attempted by a machine whose IP address is displayed as 0xde.0xad.0xbe.0xef. It looks to you like a hexadecimal number. You perform a ping 0xde.0xad.0xbe.0xef. Which of the following IP addresses will respond to the ping and hence will likely be responsible for the the intrusion A. 192.10.25.9 B. 10.0.3.4 C. 203.20.4.5 D. 222.273.290.239 E. 222.173.290.239

: E Explanation: Convert the hex number to binary and then to decimal. 0xde.0xad.0xbe.0xef translates to 222.173.190.239 and not 222.273.290.239 0xef = 15*1 = 15 14*16 = 224 ______ = 239 0xbe = 14*1 = 14 11*16 = 176 ______ = 190 0xad = 13*1 = 13 10*16 = 160 ______ = 173 0xde = 14*1 = 14 13*16 = 208 ______ = 222