1. Examine the Wireshark TCP Flow capture here:
Which of the following represents the next appropriate acknowledgement from Host A?
A. Sequence Number 701, Acknowledgement Number 2664.
B. Sequence Number 701, Acknowledgement Number 3986.
C. Sequence Number 2664, Acknowledgement Number 2023.
D. Sequence Number 2664, Acknowledgement Number 701.
B. Sequence and acknowledgement number prediction can get really, really confusing when you take all the options into account—acknowledgement numbers, window sizes, and so on—but thankfully it’ll be pretty easy on your exam. An acknowledgement packet will recognize the agreed-upon sequence number (in this case, 701) and then acknowledge receipt of the previous packet by incrementing the acknowledgement number with the packet size of the receipt. In this example, the agreed-upon sequence number is 701 and the receipt of the previous packet is acknowledged by adding the previous sequence number (2664) to the packet length (1322): 2664 +1322 = 3986.
A, C, and D are incorrect choices because the sequence and acknowledgement numbers do not add up. You can follow the preceding TCP stream and watch the acknowledgement number increment by the packet length. You can also see this at home: Open a Wireshark session and capture a TCP session; then choose Statistics, Flow Graph, and TCP Flow.
2. You have established a netcat connection to a target machine. Which flag can be used to launch a program?
A. -p
B. -a
C. -l
D. -e
D. Netcat is often referred to as the “Swiss army knife” of hacking efforts. You can use it to set up a listening port on target machines that you can then revisit to wreak all sorts of havoc. The flag associated with launching a program is –e. For example, issuing the command
will open a Windows command shell on the target machine; the –t flag sets up a telnet connection over the port you defined with the –p flag (12657).
A is incorrect because the –p flag indicates the protocol port you wish to use for your session.
B is incorrect because –a is not a recognized netcat flag.
C is incorrect because the –l flag indicates netcat should open the port for listening. As an aside, the –L flag does the same thing; however, it restarts listening after the inbound session completes.
3. Which virus type will rewrite itself after each new infection?
A. Multipartite
B. Metamorphic
C. Cavity
D. Macro
B. EC Council defines several different virus types, depending on what the virus does, how it acts, and how it is written. In the case of a metamorphic virus, it will rewrite itself each time it infects a new file. Metamorphic viruses write versions of themselves in machine code, so they may even be able to infect machines of different operating systems.
A is incorrect because multipartite viruses do not rewrite themselves. They attempt to infect and spread in multiple ways and try to infect files and the boot sector at the same time. They can spread very quickly and are notoriously hard to clean.
C is incorrect because a cavity virus writes itself into unused space within a file. The idea is to maintain the file’s size.
D is incorrect because macro viruses do not rewrite themselves. Macro viruses usually attack Microsoft Office files, executing as a macro within the file itself (anyone who’s ever been stuck in Excel purgatory should be very familiar with macros within a spreadsheet). “Melissa” (a famous virus attacking Microsoft Word 1997) is a classic example of a macro virus.
4. A pen test colleague is carrying out attacks. In one attack, she attempts to guess the ISN for a TCP session. Which attack is she most likely carrying out?
A. XSS
B. Session splicing
C. Session hijacking
D. Multipartite attack
C. The idea behind session hijacking is fairly simple: The attacker waits for a session to begin and, after all the pesky authentication gets done, jumps in to steal the session for herself. In practice, it’s a little harder and more complicated than that, but the key to the whole attack is in determining the Initial Sequence Number (ISN) used for the session. The ISN is sent by the initiator of the session in the first step (SYN). This is acknowledged in the second handshake (SYN/ACK) by incrementing that ISN by 1, and then another ISN is generated by the recipient. This second number is acknowledged by the initiator in the third step (ACK) and from there on out communication can occur. Per EC Council, the following steps describe the session hijack:
1. Sniff the traffic between the client and the server.
2. Monitor the traffic and predict the sequence numbering.
3. Desynchronize the session with the client.
4. Predict the session token and take over the session.
5. Inject packets to the target server.
For what it’s worth, pulling this attack off correctly requires you to do some fairly significant traffic sniffing. And if you’re already positioned to sniff the traffic in the first place, this whole scenario may be a moot point. You need to know it for the exam, but real-world application may be small and rare.
A is incorrect because cross-site scripting is a web application attack.
B is incorrect because session splicing is an IDS evasion method. The attacker delivers a payload that the IDS would have otherwise seen by “slicing” it over multiple packets. The payload can be spread out over a long period of time.
D is incorrect because multipartite refers to a virus type, not an attack that requires ISN determination.
5. Malware takes many forms and is activated on a machine in a variety of ways. Which of the following malware types does not require user intervention to spread?
A. Trojan
B. Virus
C. Worm
D. Polymorphic
C. A worm is a self-replicating malware computer program that uses a computer network to send copies of itself to other systems without human intervention. Usually it doesn’t necessarily alter files, but it resides in active memory and duplicates itself, eating up resources and wreaking havoc along the way. The most common use for a worm in the hacking world is the creation of botnets. A classic worm example you will no doubt see on your exam is Conficker. It targeted Windows machines starting back in 2008, infecting millions of computers worldwide, making it the largest computer worm infection in history.
A is incorrect because Trojans need human interaction to spread. A Trojan is software that appears to perform a desirable function for the user prior to run or install, but instead performs a function, usually without the user’s knowledge, that steals information or otherwise harms the system (or data). Much like the horse used to fool Troy, Trojan malware is usually hidden inside something that appears totally harmless or even beneficial.
B is incorrect because viruses do not spread without user intervention. By definition, viruses are attached to other files and are activated when those files are executed. Viruses are spread when users copy infected files from one machine to another.
D is incorrect because viruses need human interaction to spread. A polymorphic piece of malware (a type of virus) still requires interaction, it just morphs its code along the way.
6. An attacker is attempting a DoS against a machine. She first spoofs the target’s IP address and then begins sending large amounts of ICMP packets containing the MAC address FF: FF: FF: FF: FF: FF. What attack is underway?
A. ICMP flood
B. Ping of Death
C. SYN flood
D. Smurf
E. Fraggle
D. A Smurf attack is a generic denial of service (DoS) attack against a target machine. The idea is simple: have so many ICMP requests going to the target that all its resources are taken up. To accomplish this, the attacker spoofs the target’s IP address and then sends thousands of ping requests from that spoofed IP to the subnet’s broadcast address. This, in effect, pings every machine on the subnet. Assuming they’re configured to do so, each and every machine will respond to the request, effectively crushing the target’s network resources.
A is incorrect because an ICMP flood does not act this way. In this attack, the hacker sends ICMP Echo packets to the target with a spoofed (fake) source address. The target continues to respond to an address that doesn’t exist and eventually reaches a limit of packets per second sent.
B is incorrect because a Ping of Death does not act this way. Not a valid attack with modern systems due to preventative measures in the OS, in the Ping of Death, an attacker fragments an ICMP message to send to a target. When the fragments are reassembled, the resulting ICMP packet is larger than the maximum size and crashes the system. As an aside, each OS has its own method of dealing with network protocols, and the implementation of dealing with particular protocols opens up things like this.
C is incorrect because a SYN flood takes place when an attacker sends multiple SYN packets to a target without provided an acknowledgement to the returned SYN/ACK. This is another attack that does not necessarily work on modern systems.
E is incorrect because in a Fraggle attack, UDP packets are used. The same principle applies—spoofed IP and echo requests sent to the broadcast address—it’s just with UDP.
7. Tripwire is one of the most popular tools to protect against malware. Which of the following statements best describes Tripwire?
A. Tripwire is a signature-based antivirus tool.
B. Tripwire is a vulnerability assessment tool used for port scanning.
C. Tripwire is a file integrity program.
D. Tripwire is a session-splicing tool.
C. Although it has grown substantially from its very early days as nothing more than a file integrity checker, Tripwire is a very well respected integrity verifier that can act as a host-based intrusion detection system (HIDS) in protection against Trojans. Simply put, Tripwire runs a file integrity check against critical files on your system. If they change—due to malware or any other circumstance—Tripwire can alert you and prevent the Trojan from being activated.
A and B are incorrect because these are not functions Tripwire performs. Per the Tripwire website (www.tripwire.com), “Tripwire offerings solve the security configuration management, continuous monitoring, and incident detection problems facing organizations of all sizes, as stand-alone solutions or in concert with other IT security controls.” Antivirus and vulnerability assessment are not functions this particular tool is designed for.
D is incorrect because session splicing is an IDS evasion technique, not a function of Tripwire—not to mention session splicing does absolutely nothing to prevent Trojans.
8. Which of the following tools are good choices for session hijack attempts? (Choose all that apply.)
A. Ettercap
B. Netcat
C. Hunt
D. Nessus
A and C. Both Ettercap and Hunt are good tools for session hijacking. Ettercap is an excellent man-in-the-middle tool and can be run from a variety of platforms (although it is Linux native). Per the Ettercap home page (http://ettercap.sourceforge.net/), “Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.” Hunt is probably one of the best known session-hijacking tools. Hunt can sniff, hijack, and reset connections at will.
B is incorrect because netcat is not a session hijack application. It is valuable for setting up listening ports and executing commands on target machines, but it’s not designed for session hijacking.
D is incorrect because Nessus is a vulnerability assessment tool.
9. In regard to Trojans, which of the following best describes a “wrapper”?
A. The legitimate file the Trojan is attached to.
B. A program used to bind the Trojan to a legitimate file.
C. Encryption methods used for a Trojan.
D. Polymorphic code used to avoid detection by antivirus programs.
B. Wrappers are programs that allow you to bind an executable of your choice (Trojan) to an innocent file your target won’t mind opening. For example, you might use a program such as EliteWrap to embed a backdoor application with a game file (.exe). A user on your target machine then opens the latest game file (maybe to play a hand of cards against the computer, or to fling a bird at pyramids built by pigs) while your backdoor is installing and sits there waiting for your use later. As an aside, many wrappers themselves are considered malicious and will show up on any up-to-date virus signature list.
A, C, and D are all incorrect definitions of a wrapper in regard to Trojans. The wrapper is used to bind the Trojan to the legitimate file, and has nothing to do with encryption of the Trojan itself. Polymorphic code deals with a type of virus that changes its code to avoid detection by signature-based antivirus programs.
10. What is the default port used by RAT?
A. 31337
B. 1095
C. 1524
D. 7777
E. 666
B. Believe it or not, you will be asked to define port numbers for some Trojans—at least a couple of times on your exam. RAT (Remote Access Tool) is one of hundreds of remote access control Trojans attackers can use on a system. RAT provides a user on a remote computer near total control over another. Installed, usually, as a Trojan without the user’s knowledge, RAT allows for things such as screen captures, file downloading from the target, file execution on the target, and command shell(s) on the target. By default, RAT uses port 1095 (1097–1098 are also used sometimes).
A is incorrect because 31337 is the default port used by BackOrifice. BackOrifice is an older remote control Trojan program that was used on Windows machines.
C is incorrect because 1524 is the default port used by Trinoo. Trinoo is a distributed denial of service Trojan.
D is incorrect because 7777 is the default port for Tini. Per the website http://ntsecurity.nu/toolbox/tini/, “Tini is a simple and very small (3Kb) backdoor for Windows, coded in assembler. It listens at TCP port 7777 and gives anybody who connects a remote Command Prompt.” Interestingly, the developers didn’t intend this as a Trojan at all, and did not create it to actually install on a machine (rebooting kills it).
E is incorrect because 666 is the default port for several different malware applications. Doom, Cain and Abel, NokNok, and Attack FTP are all examples.
11. Which of the following is a legitimate communication path for the transfer of data?
A. Overt
B. Covert
C. Authentic
D. Imitation
E. Actual
A. This is another one of those easy, pure definition questions you simply can’t miss on your exam. Whether the channel is inside a computer, between systems, or across the Internet, any legitimate channel used for communications and data exchange is known as an overt channel. And don’t let the inherit risk with any channel itself make the decision for you—even if the channel itself is a risky endeavor, if it is being used for its intended purpose, it’s still overt. For example, an IRC or a gaming link is still an overt channel, so long as the application(s) making use of it are legitimate. Overt channels are legitimate communication channels used by programs across a system or a network, whereas covert channels are used to transport data in ways they were not intended for.
B is incorrect because an overt channel, per EC Council’s own definition, is “a channel that transfers information within a computer system or network in a way that violates security policy.” For example, a Trojan might create a channel for stealing passwords or downloading sensitive data from the machine.
C, D, and E are incorrect because none of these are terms for the communications channel and are included here as distractors.
12. Which Trojan is well known for attempting to steal banking information from infected machines?
A. Apocalypse
B. HTTP RAT
C. Zeus
D. BioDox
C. There are many “well-known” Trojans out there, and you’ll definitely get quizzed on a couple. Zeus is one of the better-known, still-rampaging Trojans making its way around the Internet world. First hitting the scene in 2007, Zeus spread via phishing e-mails (usually) and drive-by installations (exploiting older Java installations). Zeus even made use of Facebook to propagate.
A and B are incorrect because both Apocalypse and HTTP RAT are remote access Trojans. Other remote access Trojans you may want to know include Poison Ivy, Dark Comet, and CCTT (Covert Channel Trojan).
D is incorrect because BioDox is referred to as a “GUI Trojan” by EC Council and is used for all sorts of badness—from remote control to password sniffing.
13. A pen test team member types the following command:
Which of the following is true regarding this attempt?
A. The attacker is attempting to connect to an established listening port on a remote computer.
B. The attacker is establishing a listening port on his machine for later use.
C. The attacker is attempting a DoS against a remote computer.
D. The attacker is attempting to kill a service on a remote machine.
A. As covered earlier, netcat is a wonderful tool that allows all sorts of remote access wizardry on a machine, and you’ll need to be able to recognize the basics of the syntax. In the command example, netcat is being told, “Please attempt a connection to the machine with the IP address of 222.15.66.78 on port 8765: I believe you’ll find the port in a listening state, waiting for our arrival.” Obviously at some point previous to issuing this command on his local machine, the pen tester planted the netcat Trojan on the remote system (222.15.66.78) and set it up in a listening state. He may have set it up with a command shell access (allowing a Telnet-like connection to issue commands at will) using the following command:
B is incorrect because this command is issued on the client side of the setup, not the server side. At some point previously, the port was set to a listening state, and this netcat command will access it.
C is incorrect because this command is not attempting a denial of service against the target machine. It’s included here as a distractor.
D is incorrect because this command is not attempting to kill a process or service on the remote machine. It’s included here as a distractor.
14. Examine the partial command line output listed here:
Which of the following is a true statement regarding the output?
A. This is output from a netstat –an command.
B. This is output from a netstat –b command.
C. This is output from a netstat –e command.
D. This is output from a netstat –r command.
A. You’ll need to get to know netstat before your exam. It’s not a huge thing, and you won’t get bogged down in minutia, but you do need to know the basics. Netstat is a great command-line tool built into every Microsoft operating system. From Microsoft’s own description, netstat “displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols).” It’s a great, easy way to see which ports you have open on your system, helping you to identify any naughty Trojans that may be hanging around. A netstat –an command will show all connections and listening ports in numerical form.
B is incorrect because the –b option displays the executable involved in creating each connection or listening port. Its output appears something like this:
C is incorrect because the –e flag displays Ethernet statistics for the system. Output appears something like this:
D is incorrect because the –r flag displays the route table for the system. A sampling of the output looks like this:
15. You are discussing malware with a new pen test member who asks about restarting executables. Which registry keys within Windows automatically run executables and instructions? (Choose all that apply.)
A. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
B. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
C. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
D. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
A, B, C, and D. Creating malware and infecting a machine with it is only accomplishing the basics. Getting it to hang around by having it restart when the user reboots the machine? Now we’re talking. The Run, RunOnce, RunServices, and RunServicesOnce registry keys within the HKEY_Local_ Machine hive are great places to stick all sorts of executables. Because of this, it’s helpful to run registry monitoring on occasion to check for anything suspicious. Sys Analyzer, Regshot, and TinyWatcher are all options for this.
16. Which of the following best describes a sheepdip computer?
A. A system used to confuse malware developers, attracting them away from real network systems.
B. A system that has multiple malware infections.
C. A system used to screen physical media for malware.
D. A system infected with botnet malware.
C. So it’s admittedly rare that animal husbandry and IT Security cross paths, but this is one of those rare moments. In sheep farming, the lovable little creatures are sometimes given a chemical bath to rid them of parasites, to clean their wool before shearing, or to prevent something I didn’t really want to learn about (and refuse to elaborate on here) known as “sheep scab.” A sheepdip computer is the same thought process, only virtual—with less bleating and scabs. Sheepdip computers are set up to check physical media, device drivers, and other files for malware before they are introduced to the network. Typically, these computers are used for nothing else and are isolated from the other computers. Sheepdip computers are usually configured with a couple of different AV programs, port monitors, registry monitors, and file integrity verifiers.
A, B, and D are all incorrect definitions of a sheepdip computer and are included as distractors.
17. Which denial of service attack involves sending SYN packets to a target machine, but never responding to any of the SYN/ACK replies?
A. SYN flood
B. SYN attack
C. Smurf
D. LOIC
A. In a SYN flood attack, the attacker sends thousands of SYN packets to the target, but never responds to any of the return SYN/ACK packets. Because there is a certain amount of time the target must wait to receive an answer to the SYN/ACK (network congestion may be slowing things down, in a legitimate example), it will eventually bog down and run out of available connections.
B is incorrect because EC Council defines a SYN attack and a SYN flood differently. Whereas a SYN flood takes advantage of tons of half-open connections, the SYN attack goes one step further—by spoofing the sending IP address in the first place. The target will attempt to respond with a SYN/ ACK but will be unsuccessful because the sending address is false. Eventually, all the machine’s resources are engaged and the DoS is successful.
C is incorrect because a Smurf attack is a DoS attack making use of ICMP packets and broadcast addresses. The idea is simple: Spoof the target’s IP address and send multiple ping requests to the broadcast address of the subnet. The entire subnet will then begin sending ping responses to the target, exhausting the target’s resources and rendering it a giant paperweight.
D is incorrect because Low Orbit Ion Cannon (LOIC) is a simple-to-use DDoS tool that floods a target with TCP, UDP, or HTTP requests. It was originally written open source to attack various Scientology websites, but has since had many people voluntarily joining a botnet to support all sorts of attacks. Recently, LOIC was used in a coordinated attack against Sony’s PlayStation network, and the tool has a track record of other successful hits: the Recording Industry Association of America, PayPal, MasterCard, and several other companies have all fallen victim to LOIC.
18. A user sees the following pop-up window appear:
Which of the following best describes the pop-up?
A. A hardware corrupted USB drive is inserted into the machine.
B. The pop-up is purely informational.
C. The pop-up indicates a Conficker worm propagation attempt.
D. None of the above.
C. When it comes to worms on the exam, you’ll definitely be asked about Conficker, and I’d bet a cold adult beverage you’ll probably see this pop-up somewhere. It’s the classic indication Conficker is attempting to run wild on your machine. Clicking the first option under Install or Run Program will execute the worm: The authentic Windows option is the “Open folder to view files using Windows Explorer” under General Options. Conficker spreads as soon as it is opened (by clicking the first option) to open shares, unpatched systems on the network, and systems with weak passwords. The Conficker worm disables services, denies access to administrator shared drives, locks users out of directories, and restricts access to security-related sites.
A is an incorrect description of this pop-up. A hardware problem would create a pop-up noting the drive was unreadable—or there would be no indication at all.
B is incorrect because the pop-up definitely indicates a potential problem with the removable drive and is not harmless. The legitimate Windows option may be mistakenly ignored in favor of Conficker’s addition.
D is incorrect because there is an appropriate answer to the question.
19. IPSec is an effective preventative measure against session hijacking. Which IPSec mode encrypts only the data payload?
A. Transport
B. Tunnel
C. Protected
D. Spoofed
A. IPSec is a wonderful encryption mechanism that can rather easily be set up between two endpoints, or even across your entire subnet if you configure the hosts appropriately. You won’t need to know all the bells and whistles with IPSec (and thank goodness, because there’s a lot to write about), but you do need the basics. Transport mode does not affect the header of the packet at all, and only encrypts the payload. It’s typically used as a secured connection between two endpoints, whereas Tunnel mode creates a VPN-like connection protecting the entire session. Additionally, Transport mode is compatible with conventional NAT (Network Address Translation).
B is incorrect because Tunnel mode encapsulates the entire packet, including the header. This is typically used to form a VPN connection, where the tunnel is used across an untrusted network (such as the Internet). For pretty obvious reasons, it’s not compatible with conventional NAT; when the packet goes through the router (or whatever is performing NAT for you), the source address in the packet changes due to Tunnel mode and, therefore, invalidates the packet for the receiving end. There are workarounds for this, generally lumped together as NAT-t (NAT Traversal). Many home routers take advantage of something referred to as IPSec Passthrough to allow just this.
C and D are invalid terms involving IPSEC.
20. Which of the following are MITM session hijacking tools? (Choose all that apply.)
A. Netcat
B. LOIC
C. Hunt
D. Paros
E. T-sight
F. Nmap
C, D, and E. There are tons and tons of man-in-the-middle (MITM) session hijacking tools available. Hunt and T-sight are probably the two best known of the group, and the two you’ll probably see referenced on the exam, but they’re by no means your only options. Hunt can sniff, hijack, and reset connections at will, whereas T-sight (commercially available) can easily hijack sessions as well as monitor additional network connections. Paros is a well-known proxy MITM session hijacking tool, and includes such goodies as vulnerability scanning and spidering.
A, B, and F are incorrect because these are not MITM tools. Netcat is a remote access Trojan (even though it doesn’t necessarily have to be a Trojan, EC Council defines it as one), among other things. LOIC is a DoS application. Nmap is, of course, a well-known scanning tool.
21. Which of the following best describes the comparison between spoofing and session hijacking?
A. Spoofing and session hijacking are the same thing.
B. Spoofing interrupts a client’s communication whereas hijacking does not.
C. Hijacking interrupts a client’s communication whereas spoofing does not.
D. Hijacking emulates a foreign IP address whereas spoofing refers to MAC addresses.
C. Hijacking and spoofing can sometimes be confused with each other, although they really shouldn’t be. Spoofing refers to a process where the attacking machine pretends to be something it is not. Whether by faking a MAC address or an IP address, the idea is that other systems on the network will communicate with your machine (that is, set up and tear down sessions) as if it’s the target system: Generally this is used to benefit sniffing efforts. Hijacking is a totally different animal. In hijacking, the attacker jumps into an already-existing session, knocking the client out of it and fooling the server into continuing the exchange. In many cases, the client will simply reconnect to the server over a different session, with no one the wiser: The server isn’t even aware of what happened and the client simply connects again in a different session. As an aside, EC Council describes the session hijack in these steps:
1. Sniff the traffic between the client and the server.
2. Monitor the traffic and predict the sequence numbering.
3. Desynchronize the session with the client.
4. Predict the session token and take over the session.
5. Inject packets to the target server.
A is incorrect because spoofing and hijacking are different. An argument can be made that hijacking makes use of some spoofing, but the two attacks are separate entities: Spoofing pretends to be another machine, eliciting (or setting up) sessions for sniffing purposes, whereas hijacking takes advantage of existing communications sessions.
B is incorrect because spoofing doesn’t interrupt a client’s existing session at all—it’s designed to sniff traffic and/or set up its own sessions.
D is incorrect because spoofing isn’t relegated to MAC addresses only. You can spoof almost anything, from MAC and IP addresses to system names and services.
22. Which of the following is an effective deterrent against session hijacking?
A. Install and use an HIDS on the system.
B. Install and use Tripwire on the system.
C. Enforce good password policy.
D. Use unpredictable sequence numbers.
D. As noted already, session hijacking requires the attacker to guess the proper upcoming sequence number(s) to pull off the attack, pushing the original client out of the session. Using unpredictable session IDs in the first place protects against this. Other countermeasures for session hijacking are fairly common sense: Use encryption to protect the channel, limit incoming connections, minimize remote access, and regenerate the session key after authentication is complete. And, lastly, don’t forget user education: If the users don’t know any better, they might not think twice about clicking past the security certificate warning or reconnecting after being suddenly shut down.
A is incorrect because a host-based intrusion detection system may not deter session hijacking at all.
B is incorrect because Tripwire is a file integrity application and won’t do a thing for session hijacking prevention.
C is incorrect because system passwords have nothing to do with session hijacking.
23. A pen test team member types the following command:
Which of the following are true regarding this command? (Choose all that apply.)
A. Ettercap is being configured for a GUI interface.
B. Ettercap is being configured as a sniffer.
C. Ettercap is being configured for text mode.
D. Ettercap is being configured for manual mode.
E. Ettercap is being configured for a man-in-the-middle attack.
C and E. Ettercap is defined as a “comprehensive suite for man-in-the-middle attacks” by nearly every website devoted to it (do a search for Ettercap and you’ll see what I mean), and it’s almost universally recognized as one of—if not the—best man-in-the-middle attack suites on the planet. Because of this, you’ll need to know some basics about it: not much, but some. Ettercap can run in one of four user interfaces: text only (-T), something called “curses” (-C), a GUI (known as GTK, and using the –G flag), and daemon mode (-D). In this example, text mode is enabled, the –q flag sets things “quiet,” and the –M flag sets up man-in-the-middle ARP poisoning.
A is incorrect because the –T flag is used to put Ettercap in text mode: -G would put Ettercap in GTK mode.
B is incorrect because Ettercap isn’t being configured as a sniffer here: It’s being set up to perform a MITM attack, not to log packets.
D is incorrect because there is no “manual” mode in Ettercap. This is included as a distractor.
24. Within a TCP packet dump, a packet is noted with the SYN flag set and a sequence number set at A13F. What should the acknowledgement number in the return SYN/ACK packet be?
A. A131
B. A130
C. A140
D. A14F
C. We’ve been over the need for predicting sequence numbers before, so I won’t bore you with it again other than to restate the salient point here: The ISN is incremented by 1 in the SYN/ACK return packet. Because these values were given in hex instead of decimal, all you need to know is what the next hex value after A13F is. You could split it out into binary (each hex digit is four bits, so this would equate to 1010000100111111) and then pick the next available number (1010000101000000) and split it back into hex (1010 = A, 0001 = 1, 0100 = 4, and 0000 = 0). Alternatively, you could convert directly to decimal (41279) add 1 and then convert back to hex. And, yes, you do need to know number conversion from decimal to binary to hex—so stop complaining.
A, B, and D are incorrect hex equivalents for decimal 41280 (then next number acknowledgement for the ISN).
25. When is session hijacking performed?
A. Before the three-step handshake
B. During the three-step handshake
C. After the three-step handshake
D. After a FIN packet
C. This question should be an easy one for you, but it’s included here to reinforce the point that you need to understand session hijacking steps well for the exam. Of course session hijacking should occur after the three-step handshake. As a matter of fact, you’ll probably need to wait quite a bit after the three-step handshake, so that everything on the session can be set up—authentication and all that nonsense should be taken care of before you jump in and take over.
A and B are incorrect because session hijacking occurs after a session is already established, and the three-step handshake must obviously occur first for this to be true.
D is incorrect because the FIN packet brings an orderly close to the TCP session. Why on earth would you wait until it’s over to start trying to hijack it?
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.