- Email support@dumps4free.com
Topic 19, Evading IDS, Firewalls and Honeypots
Eric notices repeated probes to port 1080. He learns that the protocol being used is
designed to allow a host outside of a firewall to connect transparently and securely
through the firewall. He wonders if his firewall has been breached. What would be
your inference?
A.
Eric network has been penetrated by a firewall breach
B.
The attacker is using the ICMP protocol to have a covert channel
C.
Eric has a Wingate package providing FTP redirection on his network
D.
Somebody is using SOCKS on the network to communicate through the firewall
Somebody is using SOCKS on the network to communicate through the firewall
Explanation:
Port Description:
SOCKS. SOCKS port, used to support outbound tcp services (FTP, HTTP, etc). Vulnerable
similar to FTP Bounce, in that attacker can connect to this port and \bounce\ out to another
internal host. Done to either reach a protected internal host or mask true source of attack.
Listen for connection attempts to this port - good sign of port scans, SOCKS-probes, or
bounce attacks. Also a means to access restricted resources. Example: Bouncing off a
MILNET gateway SOCKS port allows attacker to access web sites, etc. that were restricted
only to.mil domain hosts.
Destination unreachable administratively prohibited messages can inform the
hacker to what?
A.
That a circuit level proxy has been installed and is filtering traffic
B.
That his/her scans are being blocked by a honeypot or jail
C.
That the packets are being malformed by the scanning software
D.
That a router or other packet-filtering device is blocking traffic
E.
That the network is functioning normally
That a router or other packet-filtering device is blocking traffic
Explanation: Destination unreachable administratively prohibited messages are a good
way to discover that a router or other low-level packet device is filtering traffic. Analysis of
the ICMP message will reveal the IP address of the blocking device and the filtered port.
This further adds the to the network map and information being discovered about the
network and hosts.
Which of the following command line switch would you use for OS detection in
Nmap?
A.
-D
B.
-O
C.
-P
D.
-X
-O
Explanation: OS DETECTION: -O: Enable OS detection (try 2nd generation w/fallback to
1st) -O2: Only use the new OS detection system (no fallback) -O1: Only use the old (1st
generation) OS detection system -osscan-limit: Limit OS detection to promising targets -
osscan-guess: Guess OS more aggressively
You are conducting a port scan on a subnet that has ICMP blocked. You have
discovered 23 live systems and after scanning each of them you notice that they all
show port 21 in closed state.
What should be the next logical step that should be performed?
A.
Connect to open ports to discover applications.
B.
Perform a ping sweep to identify any additional systems that might be up.
C.
Perform a SYN scan on port 21 to identify any additional systems that might be up.
D.
Rescan every computer to verify the results.
Perform a SYN scan on port 21 to identify any additional systems that might be up.
Explanation: As ICMP is blocked you’ll have trouble determining which computers are up
and running by using a ping sweep. As all the 23 computers that you had discovered earlier
had port 21 closed, probably any additional, previously unknown, systems will also have
port 21 closed. By running a SYN scan on port 21 over the target network you might get
replies from additional systems.
Bob has set up three web servers on Windows Server 2003 IIS 6.0. Bob has followed
all the recommendations for securing the operating system and IIS. These servers
are going to run numerous e-commerce websites that are projected to bring in
thousands of dollars a day. Bob is still concerned about the security of this server
because of the potential for financial loss. Bob has asked his companys firewall
administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to
ensure that no malicious data is getting into the network.
Why will this not be possible?
A.
Firewalls cant inspect traffic coming through port 443
B.
Firewalls can only inspect outbound traffic
C.
Firewalls cant inspect traffic coming through port 80
D.
Firewalls cant inspect traffic at all, they can only block or allow certain ports
Firewalls cant inspect traffic at all, they can only block or allow certain ports
Explanation: In order to really inspect traffic and traffic patterns you need an IDS.
| Page 24 out of 153 Pages |
| Previous |