Ethical Hacking and Countermeasures v7.3
Question 1
Your company trainee Sandra asks you which are the four existing Regional Internet
Registry (RIR's)?
- A. APNIC, PICNIC, ARIN, LACNIC
- B. RIPE NCC, LACNIC, ARIN, APNIC
- C. RIPE NCC, NANIC, ARIN, APNIC
- D. RIPE NCC, ARIN, APNIC, LATNIC
Answer : B
Explanation: All other answers include non existing organizations (PICNIC, NANIC,
LATNIC). See http://www.arin.net/library/internet_info/ripe.html
Question 2
You are footprinting an organization to gather competitive intelligence. You visit the companys website for contact information and telephone numbers but do not find it listed there. You know that they had the entire staff directory listed on their website
12 months ago but not it is not there.
How would it be possible for you to retrieve information from the website that is outdated?
- A. Visit google’s search engine and view the cached copy.
- B. Visit Archive.org web site to retrieve the Internet archive of the company’s website.
- C. Crawl the entire website and store them into your computer.
- D. Visit the company’s partners and customers website for this information.
Answer : B
Explanation: Explanation: Archive.org mirrors websites and categorizes them by date and month depending on the crawl time. Archive.org dates back to 1996, Google is incorrect because the cache is only as recent as the latest crawl, the cache is over-written on each subsequent crawl. Download the website is incorrect because that's the same as what you see online. Visiting customer partners websites is just bogus. The answer is then
Firmly, C, archive.org -
Question 3
Bill has started to notice some slowness on his network when trying to update his companys website while trying to access the website from the Internet. Bill asks the help desk manager if he has received any calls about slowness from the end users, but the help desk manager says that he has not. Bill receives a number of calls from customers that cant access the company website and cant purchase anything online. Bill logs on to a couple of this routers and notices that the logs shows network traffic is at all time high. He also notices that almost all the traffic is originating from a specific address.
Bill decides to use Geotrace to find out where the suspect IP is originates from. The
Geotrace utility runs a traceroute and finds that IP is coming from Panama. Bill knows that none of his customers are in Panama so he immediately thinks that his company is under a Denial of Service attack. Now Bill needs to find out more about the originating IP Address.
What Internet registry should Bill look in to find the IP Address?
- A. LACNIC
- B. ARIN
- C. RIPELACNIC
- D. APNIC
Answer : A
Explanation: LACNIC is the Latin American and Caribbean Internet Addresses Registry that administers IP addresses, autonomous system numbers, reverse DNS, and other network resources for that region.
Question 4
Your lab partner is trying to find out more information about a competitors web site.
The site has a .com extension. She has decided to use some online whois tools and look in one of the regional Internet registrys. Which one would you suggest she looks in first?
- A. LACNIC
- B. ARIN
- C. APNIC
- D. RIPE
- E. AfriNIC
Answer : B
Explanation: Regional registries maintain records from the areas from which they govern.
ARIN is responsible for domains served within North and South America and therefore, would be a good starting point for a .com domain.
Topic 3, Scanning -
Question 5
The following excerpt is taken from a honeyput log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. Study the log given below and answer the following question:
(Note: The objective of this questions is to test whether the student has learnt about passive OS fingerprinting (which should tell them the OS from log captures): can they tell a SQL injection attack signature; can they infer if a user ID has been created by an attacker and whether they can read plain source destination entries from log entries.)
What can you infer from the above log?
- A. The system is a windows system which is being scanned unsuccessfully.
- B. The system is a web application server compromised through SQL injection. by the attacker.
- D. The actual IP of the successful attacker is 24.9.255.53.
Answer : A
Question 6
What is the proper response for a X-MAS scan if the port is closed?
- A. SYN
- B. ACK
- C. FIN
- D. PSH
- E. RST
- F. No response
Answer : E
Explanation: Closed ports respond to a X-MAS scan with a RST.
Question 7
You are scanning into the target network for the first time. You find very few conventional ports open. When you attempt to perform traditional service identification by connecting to the open ports, it yields either unreliable or no results. You are unsure of which protocols are being used. You need to discover as many different protocols as possible.
Which kind of scan would you use to achieve this? (Choose the best answer)
- A. Nessus scan with TCP based pings.
- B. Nmap scan with the –sP (Ping scan) switch.
- C. Netcat scan with the –u –e switches.
- D. Nmap with the –sO (Raw IP packets) switch.
Answer : D
Explanation: Running Nmap with the sO switch will do a IP Protocol Scan. The IP protocol scan is a bit different than the other nmap scans. The IP protocol scan is searching for additional IP protocols in use by the remote station, such as ICMP, TCP, and
UDP. If a router is scanned, additional IP protocols such as EGP or IGP may be identified.
Question 8
You are manually conducting Idle Scanning using Hping2. During your scanning you notice that almost every query increments the IPID regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value. Why do you think this occurs?
- A. The zombie you are using is not truly idle.
- B. A stateful inspection firewall is resetting your queries.
- C. Hping2 cannot be used for idle scanning.
- D. These ports are actually open on the target system.
Answer : A
Explanation: If the IPID is incremented by more than the normal increment for this type of system it means that the system is interacting with some other system beside yours and has sent packets to an unknown host between the packets destined for you.
Question 9
Which Type of scan sends a packets with no flags set ?
Select the Answer -
- A. Open Scan
- B. Null Scan
- C. Xmas Scan
- D. Half-Open Scan
Answer : B
Explanation:
The types of port connections supported are:
-> TCP Full Connect. This mode makes a full connection to the target's TCP ports and can save any data or banners returned from the target. This mode is the most accurate for determining TCP services, but it is also easily recognized by Intrusion
Detection Systems (IDS).
-> UDP ICMP Port Unreachable Connect. This mode sends a short UDP packet to the target's UDP ports and looks for an ICMP Port Unreachable message in return.
The absence of that message indicates either the port is used, or the target does not return the ICMP message which can lead to false positives. It can save any data or banners returned from the target. This mode is also easily recognized by
IDS.
-> TCP Full/UDP ICMP Combined. This mode combines the previous two modes into one operation.
-> TCP SYN Half Open. (Windows XP/2000 only) This mode sends out a SYN packet to the target port and listens for the appropriate response. Open ports respond with a SYN|ACK and closed ports respond with ACK|RST or RST. This mode is less likely to be noted by IDS, but since the connection is never fully completed, it cannot gather data or banner information. However, the attacker has full control over TTL, Source Port, MTU, Sequence number, and Window parameters in the
SYN packet.
-> TCP Other. (Windows XP/2000 only) This mode sends out a TCP packet with any combination of the SYN, FIN, ACK, RST, PSH, URG flags set to the target port and listens for the response. Again, the attacker can have full control over TTL,
Source Port, MTU, Sequence number, and Window parameters in the custom TCP packet. The Analyze feature helps with analyzing the response based on the flag settings chosen. Each operating system responds differently to these special combinations. The tool includes presets for XMAS, NULL, FIN and ACK flag settings.
Question 10
Which of the following commands runs snort in packet logger mode?
- A. ./snort -dev -h ./log
- B. ./snort -dev -l ./log
- C. ./snort -dev -o ./log
- D. ./snort -dev -p ./log
Answer : B
Explanation: Note: If you want to store the packages in binary mode for later analysis use
./snort -l ./log -b
Question 11
You are having problems while retrieving results after performing port scanning during internal testing. You verify that there are no security devices between you and the target system. When both stealth and connect scanning do not work, you decide to perform a NULL scan with NMAP. The first few systems scanned shows all ports open.
Which one of the following statements is probably true?
- A. The systems have all ports open.
- B. The systems are running a host based IDS.
- C. The systems are web servers.
- D. The systems are running Windows.
Answer : D
Explanation: The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real world. If the port is closed, a RST frame should be returned and a null scan to an open port results in no response. Unfortunately Microsoft (like usual) decided to completely ignore the standard and do things their own way. Thus this scan type will not work against systems running Windows as they choose not to response at all. This is a good way to distinguish that the system being scanned is running Microsoft Windows.
Question 12
What type of port scan is shown below?
- A. Idle Scan
- B. Windows Scan
- C. XMAS Scan
- D. SYN Stealth Scan
Answer : C
Explanation: An Xmas port scan is variant of TCP port scan. This type of scan tries to obtain information about the state of a target port by sending a packet which has multiple
TCP flags set to 1 - "lit as an Xmas tree". The flags set for Xmas scan are FIN, URG and
PSH. The purpose is to confuse and bypass simple firewalls. Some stateless firewalls only check against security policy those packets which have the SYN flag set (that is, packets that initiate connection according to the standards). Since Xmas scan packets are different, they can pass through these simple systems and reach the target host.
Question 13
Bob has been hired to perform a penetration test on ABC.com. He begins by looking at IP address ranges owned by the company and details of domain name registration. He then goes to News Groups and financial web sites to see if they are leaking any sensitive information of have any technical details online.
Within the context of penetration testing methodology, what phase is Bob involved with?
- A. Passive information gathering
- B. Active information gathering
- C. Attack phase
- D. Vulnerability Mapping
Answer : A
Explanation: He is gathering information and as long as he doesnt make contact with any of the targets systems he is considered gathering this information in a passive mode.
Question 14
What port scanning method involves sending spoofed packets to a target system and then looking for adjustments to the IPID on a zombie system?
- A. Blind Port Scanning
- B. Idle Scanning
- C. Bounce Scanning
- D. Stealth Scanning
- E. UDP Scanning
Answer : B
Explanation:
from NMAP:-sI <zombie host[:probeport]> Idlescan: This advanced scan method allows fora truly blind TCP port scan of the target (meaning no packets are sent tothe tar- get from your real IP address). Instead, a unique side-channelattack exploits predictable "IP fragmentation ID" sequence generation onthe zombie host to glean information about the open ports on the target.
Question 15
Study the log below and identify the scan type.
tcpdump w host 192.168.1.10
- A. nmap R 192.168.1.10
- B. nmap S 192.168.1.10
- C. nmap V 192.168.1.10
- D. nmap –sO –T 192.168.1.10
Answer : D
Explanation: -sO: IP protocol scans: This method is used to determine which IP protocols are supported on a host. The technique is to send raw IP packets without any further protocol header to each specified protocol on the target machine.