1. A target machine (with a MAC of 12:34:56:AB:CD:EF) is connected to a switch port. An attacker (with a MAC of 78:91:00:ED:BC:A1) is attached to a separate port on the same switch with a packet capture running. There is no spanning of ports or port security in place. Two packets leave the target machine. Message 1 has a destination MAC of E1:22:BA:87:AC:12. Message 2 has a destination MAC of FF: FF: FF: FF: FF: FF. Which of the following statements is true regarding the messages being sent?
A. The attacker will see message 1.
B. The attacker will see message 2.
C. The attacker will see both messages.
D. The attacker will see neither message.
B. This question is all about how a switch works, with a little MAC knowledge thrown in. Remember that switches are designed to filter unicast messages but to flood multicast and broadcast messages (filtering goes only to one port, whereas flooding sends to all). Broadcast MAC addresses in the frame are very easy to spot—they’re always all F’s, indicating all 48 bits turned on in the address. In this case, message 1 is a unicast address and went off to its destination, whereas message 2 is clearly a broadcast message, which the switch will gladly flood to all ports, including the attacker’s.
A is incorrect because the unicast destination MAC does not match the attacker’s machine. When the frame is read by the switch and compared to the internal address list (CAM table), it will be filtered and sent to the appropriate destination port.
C is incorrect because the switch will not flood both messages to the attacker’s port—it only floods broadcast and multicast.
D is incorrect because the broadcast address will definitely be seen by the attacker.
2. You have successfully tapped into a network subnet of your target organization. You begin an attack by learning all significant MAC addresses on the subnet. After some time, you decide to intercept messages between two hosts. You begin by sending broadcast messages to Host A showing your MAC address as belonging to Host B. Simultaneously, you send messages to Host B showing your MAC address as belonging to Host A. What is being accomplished here?
A. ARP poisoning to allow you to see all messages from both sides without interrupting their communications process
B. ARP poisoning to allow you to see messages from Host A to Host B, and vice versa
C. ARP poisoning to allow you to see messages from Host A destined to any address
D. ARP poisoning to allow you to see messages from Host B destined to any address
E. Failed ARP poisoning—you will not be able to see any traffic
B. ARP poisoning is a relatively simple way to place yourself as the “man in the middle” and spy on traffic. (By the way, be careful with the term man in the middle because it usually refers to a position where you are not interrupting traffic). The ARP cache is updated whenever your machine does a name lookup, or when ARP (a broadcast protocol) receives an unsolicited message advertising a MAC-to-IP match. In this example, you’ve told Host A and Host B that you hold the MAC address for Host B and Host A, respectively. Both machines will update their cache, and when a message is being crafted by the OS, it will happily put the spoofed address in its place. Just remember that ARP poisoning is oftentimes noisy and may be easy to discover if port security is enabled. Additionally, watch out for denial of service side effects of attempting ARP poisoning—you may very well bring down a target without even trying to.
A is incorrect for a couple reasons. First, you won’t receive messages from each host addressed to anywhere in the world—you’ll only receive messages addressed from one to the other, and vice versa. Second, the communications flow between the two hosts will be affected by this. As a matter of fact, neither machine can talk to the other, even if you wanted to: The ARP poisoning has all messages going to the hacker.
C is incorrect for a couple reasons. First, it’s only referencing one host when the ARP poisoning is in both directions. Second, you would not get messages from Host A to any destination—only those that are addressed to Host B.
D is incorrect for a couple reasons. First, it’s only referencing one host when the ARP poisoning is in both directions. Second, you would not get messages from Host B to everywhere—only those that are addressed to Host A.
E is incorrect because the ARP poisoning should work fine here, and you will see traffic between the two hosts.
3. Sniffing network traffic can sometimes be a function of an investigation run by a law enforcement agency (LEA). Within the confines of the lawful intercept, what provides most of the processing of the information and is usually provided by a third party?
A. IAP
B. Collection function
C. Wiretap
D. Mediation device
D. So this question comes straight out of the EC Council’s definitions of a lawful intercept, which is a process allowing an LEA to sniff traffic based on a judicial order. A lot of approvals and whatnot are needed to set up this tap, but within the confines of the entire intercept, you have a judicial order allowing it, a tap (usually the service provider allows a port opening for this), something to process all the data (the mediation device) and a collection area where everything is stored and parsed/processed further. The key in this is the third-party portion—a mediation device is usually provided by a third party, whereas the tap and the collection are not.
A is incorrect because the IAP (intercept access point) is the device providing all the raw data—the tap being used to capture everything.
B is incorrect because the collection function is an application that stores and parses the information gleaned from the tap and mediation devices.
C is incorrect because a wiretap is simply a device that connects to a communications circuit allowing for the sniffing of traffic.
4. An attacker has successfully tapped into a network segment and has configured port spanning for his connection, which allows him to see all traffic passing through the switch. Which of the following protocols protects any sensitive data from being seen by this attacker?
A. FTP
B. IMAP
C. Telnet
D. POP
E. SMTP
F. SSH
F. The biggest deterrent you have to sniffing is encryption (as an aside, it’s also the biggest threat to an IDS, but that’s for a different question). All the protocols listed here are susceptible to sniffing in one way or another because they pass information in the clear—that is, with no encryption. SSH is the only one listed that provides secured transmission and is, therefore, the only correct answer. The CEH exam objective here is to ensure you know which protocols pass information in the clear—and thus making them easy to sniff—and which do not.
A is incorrect because FTP sends its passwords and all data in clear text. If you’re sniffing the wire and someone logs in with FTP—voilà!—you’ve got it all.
B is incorrect because IMAP also passes all information—including passwords—in the clear.
C is incorrect because telnet is another open protocol, passing everything in the clear.
D is incorrect because POP sends all information in clear text.
E is incorrect because SMTP also sends everything in clear text—just look at your e-mail headers if you doubt me.
5. You have a large packet capture file in Wireshark to review. You wish to filter traffic to show all packets with an IP address of 192.168.22.5 that contain the string HR_admin. Which of the following filters would accomplish this task?
A.
ip.addr==192.168.22.5 &&tcp contains HR_admin
B.
ip.addr 192.168.22.5 && "HR_admin"
C.
ip.addr 192.168.22.5 &&tcp string ==HR_admin
D.
ip.addr==192.168.22.5 + tcp contains tide
A. This is a perfect example of a typical Wireshark question on your exam (and you will see a couple). This is the only answer that sticks to Wireshark filter syntax. Definitely know the ip.addr, ip.src, and ip.dst filters; the “tcp contains” filter is another favorite of test question writers. When you combine filters in one search, use the && designator.
B, C, and D are all incorrect because the syntax is wrong for Wireshark filters. As an aside, a great way to learn the syntax of these filters is to use the expression builder directly beside the filter entry box. It’s self-explanatory and contains literally thousands of possible expression builds.
6. Which of the following is a tool used for MAC spoofing?
A. PromiScan
B. NetWitness
C. CACE
D. SMAC
D. SMAC is a great tool for spoofing MAC addresses. It’s free (at least initially) and easy to use. It’s also powerful and works on Windows systems. As an interesting aside, if you change the MAC address, it will remain in the altered condition through reboot until you stop spoofing—in other words, the MAC spoof will remain in place until you manually change it back to the original value, even after a reboot.
A is incorrect because PromiScan is a tool designed specifically to help you detect promiscuous NIC use on your subnet. In other words, it can help you find sniffers on your network. It’s an older tool, developed by Microsoft, that carries a hefty price tag. However, it’s the de facto standard sniffing node-detection tool, which is recommended by SANS and has been used worldwide ever since its release.
B is incorrect because NetWitness is an all-in-one sniffer from RSA’s Advanced Security Management Solutions. It’s not designed to spoof MAC addresses.
C is incorrect because CACE Pilot is another sniffing tool.
7. You are attempting to sniff traffic on a switch. Which of the following is a good method to ensure you are successful? (Choose all that apply.)
A. Reboot the switch immediately after connecting.
B. Implement port security.
C. Configure a span port.
D. Use MAC flooding.
C and D. Switches filter unicast traffic, so your attached sniffer would only receive traffic intended for its MAC address as well as any broadcast traffic. To get around this, there are two things you can do. One, if you can gain administrative access to the IOS, you can configure a span port (which sends copies of messages from all ports to yours). Legitimate span ports are designed for things such as network IDS. Second, you can use MAC flooding. Using a tool such as MacOF or Yersinia, you can send thousands and thousands of fake MAC addresses to the switch’s CAM table. Once the table gets full, the switch effectively turns into a hub, flooding all packets out all ports. Just know that MAC flooding is harder to pull off with modern network switches and will, most likely, be noticed. Lastly, don’t get port spanning and sniffing confused with spoofing. Port spanning will allow you to sniff traffic but doesn’t do a thing for you in spoofing your own traffic.
A is incorrect because rebooting the switch will not help. Usually switches have two configuration files—one in use while the switch is up and running, and the other used to load policies and such at startup. Generally these are the same: to protect the switch in case of a power outage or forced shutdown.
B is incorrect because port security would actually frustrate your efforts even further. Port security refers to a method by which the administrator defines only specific MAC addresses that the port will allow to connect.
8. Which of the following are modes Snort can operate in? (Choose all that apply.)
A. Sniffer
B. Spoofing
C. Packet Logger
D. Network IDS
A, C, and D. Snort is more than just a network intrusion detection system. It can run in three different modes. Sniffer mode is exactly what it sounds like, and lets you watch packets in real time as they come across your network tap. Packet Logger mode saves packets to disk for review at a later time. And, finally, what it’s most famous for, Network Intrusion Detection System mode analyzes network traffic against various rule sets you pick from, depending on your network’s situation.
B is incorrect because there is not a “Spoofing” mode in Snort.
9. Examine the following Snort rule:
Which of the following are true regarding the rule? (Choose all that apply.)
A. This rule will alert on packets coming from the designated home network.
B. This rule will alert on packets coming from outside the designated home address.
C. This rule will alert on packets designated for any port, from port 23, containing the “admin” string.
D. This rule will alert on packets designated on port 23, from any port, containing the “admin” string.
B and D. Snort rules, logs, entries, and configuration files will definitely be a part of your exam. This particular rule takes into account a lot of things you’ll see. First, note the exclamation mark (!) just before the HOME_NET variable. Any time you see this, it indicates the opposite of the following variable—in this case, any packet from an address not in the home network and using any source port number, intended for any address that is within the home network. Following that variable is a spot for a port number, and the word “any” indicates we don’t care what the source port is. Next, we spell out the destination information: anything in the home network and destined for port 23. Lastly, we add one more little search before spelling out the message we want to receive: The “content” designator allows us to spell out strings we’re looking for.
A and C are incorrect because these statements are polar opposite to what the rule is stating.
10. You wish to begin sniffing, and you have a Windows 7 laptop. You download and install Wireshark, but quickly discover your NIC needs to be in “promiscuous mode.” What allows you to put your NIC into promiscuous mode?
A. Installing lmpcap
B. Installing npcap
C. Installing winPcap
D. Installing libPcap
E. Manipulating the NIC properties through Control Panel, Network and Internet, Change Adapter Settings
C. To understand this, you’ve got to know how a NIC is designed to work. The NIC “sees” lots of traffic, but only pulls in traffic it knows belongs to you. It does this by comparing the MAC address of each frame against its own: If they match, it pulls the frame in and works on it; if they don’t match, the frame is ignored. If you plug a sniffer into a NIC that only looks at traffic designated for the machine you’re on, you’ve kind of missed the point, wouldn’t you say? Promiscuous mode tells the NIC to pull in everything. This allows you to see all those packets moving to and fro inside your collision domain. WinPcap is a library that allows NICs on Windows machines to operate in promiscuous mode.
A is incorrect because “lmpcap” does not exist.
B is incorrect because “npcap” does not exist.
D is incorrect because libPcap is used on Linux machines for the same purpose—putting cards into promiscuous mode.
E is incorrect because accessing the Change Adapter Setting window does not allow you to put the card into promiscuous mode—you still need winPcap for this.
11. You are attempting to deliver a payload to a target inside the organization; however, it is behind an IDS. You are concerned about successfully accomplishing your task without alerting the IDS monitoring team. Which of the following methods are possible options? (Choose all that apply.)
A. Flood the network with fake attacks.
B. Encrypt the traffic between you and the host.
C. Session hijacking.
D. Session splicing.
B and D. Encryption has always been the enemy of network IDS. After all, if the traffic is encrypted and we can’t see it, what good does it do to have a monitoring system look at the garbled bits? Granted, it would seem difficult to set up encryption between the target host and yourself, but it is plausible and, therefore, a good answer. Session splicing is a great tool to use as well. In session splicing, you put a payload into packets the IDS usually ignores, such as SYN segments. The fragments can then be reassembled later on the target machine. (If you want to get real sneaky, send them out of order.)
A is incorrect, but just barely so. Yes, flooding a network with fake attacks can definitely work. The cover fire from all the other attacks should allow you to sneak by. However, there is no way to accomplish this without alerting the monitoring team—after all, the objective is to keep them busy looking at all those fake attacks long enough for you to pull off a real one. Keep in mind that if you’re going to attempt this method, you’ll need a block of sacrificial IP addresses you won’t mind losing. The security staff will, no doubt, see your initial attempts and start blocking those IPs from network access. If you’re hoping to provide cover fire for a “real” attack, you’ll need to have plenty of “pawn” IPs to sacrifice.
C is incorrect because session hijacking has almost nothing to do with IDS evasion. It has a lot to do with guessing sequence numbers and leaping into the middle of an existing, already-authenticated communications channel, but we’re not on that chapter yet. Granted, you may be able to make use of some firewall applications or web sessions to bypass some IDS filters, but that’s not the intent of this question (nor is that how it will be phrased on your exam).
12. A pen test member has gained access to an open switch port. He configures his NIC for promiscuous mode and sets up a sniffer, plugging his laptop directly into the switch port. He watches traffic as it arrives at the system, looking for specific information to possibly use later. What type of sniffing is being practiced?
A. Active
B. Promiscuous
C. Blind
D. Passive
E. Session
D. This is one of those weird CEH definitions that drive us all crazy on the exam. Knowing the definition of passive versus active isn’t really going to make you a better pen tester, but it may save you a question on the test. When it comes to sniffing, if you are not injecting packets into the stream, it’s a passive exercise. Tools such as Wireshark are passive in nature. A tool such as Ettercap, though, has built-in features to trick switches into sending all traffic their way, and all sorts of other sniffing hilarity. This type of sniffing, where you use packet interjection to force a response, is active in nature.
A is incorrect because in the example given, no packet injection is being performed. The pen tester is simply hooking up a sniffer and watching what comes by. The only way this can be more passive is if he has a hammock nearby.
B is incorrect because the term promiscuous is not a sniffing type. Instead, it refers to the NIC’s ability to pull in frames that are not addressed specifically for it.
C is incorrect because the term blind is not a sniffing type. This is included as a distractor.
E is incorrect because the term session is not a sniffing type. This is included as a distractor.
13. Tcpdump is a popular packet capture sniffer. Examine the following segment of a tcpdump capture (note the capture only shows one side of the communication):
What can you gather from this capture? (Choose all that apply.)
A. The FTP connection is from 192.168.1.12 to the local host.
B. The FTP connection is from the local host to 192.168.5.12.
C. The FTP connection was unsuccessful.
D. The FTP authentication credentials are clearly visible.
B and D. Tcpdump is a great packet capture tool, but I personally hate going through all those lines of captured code. Wireshark, Cain and Abel, and a variety of other tools do this work for me; however, you will see snippets like this on your exam, so it’s worthy of a look. First, note the “from-to” in each captured packet line, clearly showing packets from the host to the destination. Next, remember when we discussed protocols that were susceptible to sniffing, and FTP was mentioned as one of them? The user ID (user1) and password (nothing) shown in clear text should provide ample explanation why that is true.
A is incorrect because the order is listed backward.
C is incorrect because the authentication credentials were passed successfully.
14. What does this line from the Snort configuration file indicate?
A. The configuration variable is not in proper syntax.
B. It instructs the Snort engine to write rule violations in this location.
C. It instructs the Snort engine to compare packets to the rule set named “rules.”
D. It defines the location of the Snort rules.
D. The var RULE_PATH entry in the config file defines the path to the rules for the IDS—in this case, they will be located in C:etcsnort
ules. The rules container will hold tons of rule sets, with each available for you to “turn on.” If you were configuring Snort to watch for fantasy football traffic, for example, you would tell it to look for all the rules in this container and then turn on the rule set you defined for fantasy football connection attempts.
A is incorrect because this configuration line is in proper syntax.
B is incorrect because this variable is not designed for that purpose. The rule violations will be written to a log file that you designate when starting the Snort engine. For example, the command
starts Snort and has the log file located at c:snortlog.
C is incorrect because the “include” variable is the one used for this purpose. Within this same configuration file, for example, you may have a rule set name fantasy.rules. To get Snort to alert on them, you point the configuration files to where all the rules are (accomplished by the variable RULE_PATH), then you tell it which of the rule sets to bring into play:
15. As part of a security monitoring team, Joe is reacting to an incursion into the network. The attacker successfully exploited a vulnerability on an internal machine, and Joe is examining how the attacker succeeded. He reviews the IDS logs but sees no alerts for the time period; however, there is definitive proof of the attack. Which IDS shortcoming does this refer to?
A. False acceptance rate
B. False negative
C. Session splicing
D. False positive
B. A false negative occurs when an IDS reports a particular stream of traffic is just fine when, in fact, an intrusion attempt did occur. False negatives are considered far worse than false positives, and are many times not discovered until well after an attack has occurred—just like in this scenario. There are multiple reasons a false negative can occur.
A is incorrect because the term false acceptance rate (FAR) refers to a shortcoming with biometric authentication systems. The FAR is the rate at which a biometric system will incorrectly accept an attempt at authentication: The lower the rate, the better the security.
C is incorrect because although session splicing can be used to evade the IDS, this question is referring to the shortcoming of the IDS itself. There are two big ones: false positive and false negative.
D is incorrect because a false positive occurs when the IDS triggers on “normal” traffic when it is not malicious. False positives are a bigger problem with behavior-based IDS.
16. Examine the Snort output shown here:
Which of the following is true regarding the packet capture?
A. The capture indicates a NOP sled attack.
B. The capture shows step 2 of a TCP handshake.
C. The packet source is 213.132.44.56.
D. The packet capture shows an SSH session attempt.
B. You’ll probably see at least one or two Snort capture logs on the exam, and most of them are just this easy. If you examine the capture log, it shows a TCP port 23 packet from 190.168.5.12 headed toward 213.132.44.56. The TCP flags are clearly shown in line 5 as “***A**S*,” indicating the SYN and ACK flags are set. Because the three-way handshake is SYN, SYN/ACK, and ACK—voilà!—we’ve solved another one!
A is incorrect because this is a single packet that is not attempting a NOP sled in any shape or form.
C is incorrect because this answer has it in reverse—the source is 190.168.5.12.
D is incorrect because the port number shown in the capture is 23 (telnet), not 22 (SSH).
17. Your IDS sits on the network perimeter and has been analyzing traffic for a couple of weeks. On arrival one morning, you find the IDS has alerted on a spike in network traffic late the previous evening. Which type of IDS are you using?
A. Stateful
B. Snort
C. Passive
D. Signature based
E. Anomaly based
E. The scenario described here is precisely what an anomaly- or behavior-based system is designed for. The system watches traffic and, over time, develops an idea of what “normal” traffic looks like—everything from source and destinations, ports in use, and times of higher data flows. In one sense, it’s better than a plain signature-based system because it can find things heuristically based on behavior; however, anomaly-based systems are notorious for the amount of false positives they spin off—especially early on.
A is incorrect because stateful refers to a firewall type, not an IDS.
B is incorrect because Snort is a signature-based IDS.
C is incorrect because the term passive isn’t associated with IDS. Now, an IDS can react to an alert by taking action to stop or prevent an attack, but this is referred to as an intrusion prevention system (IPS), not active or passive.
D is incorrect because a signature-based IDS isn’t going to care about the amount of traffic going by, nor what time it decides to do so. A signature-based IDS simply compares each packet against a list (signature file) you configure it to look at. If it doesn’t match anything in the signature file, then no action is taken.
18. You are performing an ACK scan against a target subnet. You previously verified connectivity to several hosts within the subnet, but want to verify all live hosts on the subnet. Your scan, however, is not receiving any replies. Which type of firewall is most likely in use at your location?
A. Packet filtering
B. IPS
C. Stateful
D. Active
C. Most people think of a firewall as a simple packet filter, examining packets as they are coming in against an access list—if the port is allowed, let the packet through. However, the stateful inspection firewall has the ability to examine all sorts of information about a packet—including the payload—and make a determination on the state of the packet. For a very common (dare I say, textbook) example, if a stateful firewall receives an ACK packet, it’s smart enough to know whether there is an associated SYN packet that originated from inside the network to go along with it. If there isn’t not—that is, if communications did not start from inside the subnet—it’ll drop the packet.
A is incorrect because a packet-filtering firewall wouldn’t bother with the flags. It would be concerned about what port the packet was headed to. If, for instance, you host a web page out of that subnet, but not an FTP server, your firewall should be set up to allow port 80 in, but not port 21.
B is incorrect because an IPS (intrusion prevention system) isn’t a firewall at all. It’s a network-monitoring solution that has the capability of recognizing malicious traffic and taking action to prevent or stop the attack.
D is incorrect because the term active is not associated with a firewall type. This is included as a distractor.
19. You are separated from your target subnet by a firewall. The firewall is correctly configured and only allows requests through to ports opened by the administrator. In firewalking the device, you find that port 80 is open. Which technique could you employ to send data and commands to or from the target system?
A. Encrypt the data to hide it from the firewall.
B. Use session splicing.
C. Use MAC flooding.
D. Use HTTP tunneling.
D. Okay, so HTTP tunneling is a successful “hacking” technique, but it’s hardly new. Microsoft makes use of HTTP tunneling for lots of things, and they’ve been doing it for years. The tactic is fairly simple: Because port 80 is almost never filtered by a firewall, you can craft port 80 segments to carry a payload for protocols the firewall may have otherwise blocked. Of course, you’ll need something on the other end to pull the payload out of all those port 80 packets that IIS is desperately wanting to answer, but that’s not altogether difficult.
A is incorrect because encryption won’t do a thing for you here. The firewall isn’t looking necessarily at content/payload—it’s looking at the packet/frame header and port information. Encryption is a good choice to get around an IDS, not a firewall.
B is incorrect because session splicing is a technique for evading an IDS, not a firewall. Again, the firewall is interested in the packet and frame header, not what fragments of code you’ve hidden in the payload.
C is incorrect because MAC flooding is a technique for sniffing switches. The idea is to fill the CAM table to the brim with thousands of useless MAC addresses. This effectively turns the switch into a hub, because it is too confused to filter and just begins flooding all traffic to all ports.
20. Which of the following tools are useful in identifying potential honeypots on a subnet? (Choose all that apply.)
A. Wireshark
B. Ettercap
C. Nessus
D. Send-Safe HH
E. Nmap
C and D. A honeypot is a system set up as a decoy to entice attackers. The idea is to load it up with all sorts of fake goodies, with not-too-easy vulnerabilities a hacker may exploit. After all that scanning and enumeration, this one is sure to show up as a possible target. Both Nessus (better known as a vulnerability assessment tool) and Send-Safe Honeypot Hunter (HH) are tools you can use to help point out potential honeypots to avoid. Nessus has a plug-in for an older honeypot (LaBrea Tarpit), and can be used to identify vulnerabilities on systems within the network. Sometimes—not always, but sometimes—a list of vulnerabilities on a particular machine can be a dead giveaway it’s a honeypot (if 95 percent of the machines on the network are fully patched but one shows up with 200 Category 1 vulnerabilities, you should hear bells ringing). Send-Safe HH (http://www.send-safe.com/honeypot-hunter.html) is a shareware tool that may be useful in identifying honeypots using “lists of HTTPS and SOCKS proxies.” As an aside, you can use honeypots to your advantage if you know where they are by turning them into proverbial double-agents. Security monitoring will have all sorts of time spent watching you hack away at the honeypot, while your real attack goes on elsewhere. Just a thought.
A is incorrect because Wireshark is simply a network sniffer.
B is incorrect because Ettercap is also a network sniffer. Granted, you can have lots of fun with the active sniffing features in Ettercap, but it’s not designed to find and label a honeypot for you.
E is incorrect because although nmap is a network-scanning tool, it’s not designed to point out a honeypot. Granted, you may be able to discern that identity by nmap results, but that’s more of a job for your gray matter, not nmap itself.
21. Examine the Wireshark filter shown here:
Which of the following correctly describes the capture filter?
A. The results will display all traffic from 192.168.1.1 destined for port 80.
B. The results will display all HTTP traffic to 192.168.1.1.
C. The results will display all HTTP traffic from 192.168.1.1.
D. No results will display due to invalid syntax.
C. Wireshark filters will be covered quite bit on your exam and, as stated before, these are easy questions for you. The preceding syntax designates the source IP and combines it with a source TCP port. This is effectively looking at all answers to port 80 requests by 192.168.1.1. As another important study tip, watch for the period (.) between “ip” and “src:” on the exam because they’ll drop it or change it to a dash (-) to trick you.
A is incorrect because port 80 is defined as the source port, not the destination. 192.168.1.1 is answering a request for an HTML page.
B is incorrect because 192.168.1.1 is defined as the source address, not the destination.
D is incorrect because the syntax is indeed correct.
22. You need to put the NIC into listening mode on your Linux box, capture packets, and write the results to a log file named my.log. How do you accomplish this with tcpdump?
A.
tcpdump -i eth0 -w my.log
B.
tcpdump -l eth0 -c my.log.
C.
tcpdump/i eth0 /w my.log
D.
tcpdump/l eth0 /c my.log
A. Tcpdump syntax is simple: tcpdump flag(s) interface. The –i flag specifies the interface (in this example, eth0) for tcpdump to listen on, and the –w flag defines where you want your packet log to go. For your own study, be aware that many study references—including EC Council’s official reference books—state that the i flag “puts the interface into listening mode.” It doesn’t actually modify the interface at all, so this is a little bit of a misnomer—it just identifies to tcpdump which interface to listen on for traffic. Lastly, be aware that the w flag dumps traffic in binary format. If you want it readable, you’ll need to have it display onscreen. Better yet, you can dump it to a file using the “|” designator and a filename.
B is incorrect because the –l flag does not put the interface in listening mode: It actually has to do with line buffering.
C and D are incorrect for the same reason—flags are designated with a dash (-) not a slash (/).
23. Which of the following tools can assist with IDS evasion? (Choose all that apply.)
A. Whisker
B. Fragroute
C. Capsa
D. Wireshark
E. ADMmutate
F. Inundator
A, B, E, and F. IDS evasion comes down to a few methods: encryption, flooding, and fragmentation (session splicing). Whisker is an HTTP scanning tool but also has the ability to craft session-splicing fragments. Fragroute intercepts, modifies, and rewrites egress traffic destined for the specified host, and can be used to fragment an attack payload over multiple packets. ADMmutate can create multiple scripts that won’t be easily recognizable by signature files, and Inundator is a flooding tool that can help you hide in the cover fire.
C and D are incorrect because both Capsa (Colasoft) and Wireshark are sniffers.
24. Which command puts Snort into packet logger mode?
A.
./snort -dev -l ./log
B.
./snort –v
C.
./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
D. None of the above
A. This is the proper syntax to start Snort in packet logger mode. Assuming you have the /log folder created, Snort will start happily logging packets as it captures them. Here are some other flags of note within this command:
• -v puts SNORT in verbose mode, to look at all packets.
• -d includes the application layer information, when used with the –v argument.
• -e includes the data link layer information with the packet.
When put altogether, the –dev arguments tell SNORT to display all packet data, including the headers.
B is incorrect because this syntax starts Snort in sniffer mode—meaning packet headers will be displayed directly to the screen.
C is incorrect because this syntax starts Snort in network intrusion detection mode. Yes, the –l switch logs files, but the bigger issue for you here is the addition of the –c switch, indicating the configuration file the NIDS needs.
D is incorrect because the correct syntax is indeed displayed.
25. Examine the following hex dump of a packet capture:
What does this packet capture show?
A. An ARP spoofing attempt
B. A Unicode IDS evasion attempt
C. An FTP session authentication
D. A ping sweep
C. Admittedly, this one is a little tricky, but it’s included here because you absolutely must know how to read simple packet capture dumps. If you had this capture in Wireshark, it would be easy—clicking TCP in the capture and then the port would point out the appropriate info in the hex dump. Without it, though, you need some observation skills. Note in line 0020 of the first packet that the source port is listed as 21 (telling you it’s FTP). Additionally, if you’re really paying attention, you can clearly see the user ID and password used for this authentication: The user ID “user_13” is found in lines 0030 and 0040 of the first packet, and the password “1234_567” is found in the same lines of packet 2. As an aside, if you learn how to convert ASCII to hex, you can do this without the ASCII conversion shown on the right side of the capture. Play with Wireshark and you’ll quickly learn where to look in these captures.
A is incorrect because ARP does not appear in either of these FTP packets.
B is incorrect because this is not a Unicode attack. Unicode characters U+0020 (a space), U+0036 (the number 6), and U+0041 (a capital A) can be used instead of human-readable code to confuse signature-based IDS.
D is incorrect because these two packets are clearly not part of a ping sweep (ICMP).
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.