312-50 Practice Test

Given the following extract from the snort log on a honeypot, what service is being
exploited? :

A.

 FTP

B.

SSH

C.

Telnet

D.

SMTP

Exhibit

(Note: the student is being tested on concepts learnt during passive OS
fingerprinting, basic TCP/IP connection concepts and the ability to read packet
signatures from a sniff dump.)
Snort has been used to capture packets on the network. On studying the packets,
the penetration tester finds it to be abnormal. If you were the penetration tester, why
would you find this abnormal?
What is odd about this attack? Choose the best answer.

A.

This is not a spoofed packet as the IP stack has increasing numbers for the three flags.

B.

 This is back orifice activity as the scan comes form port 31337.

C.

The attacker wants to avoid creating a sub-carries connection that is not normally valid.

D.

These packets were crafted by a tool, they were not created by a standard IP stack.

You have performed the traceroute below and notice that hops 19 and 20 both show
the same IP address.
What can be inferred from this output?
1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms
2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416 ms
3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms ip68-100-0-1.nv.nv.cox.net
(68.100.0.1) 16.743 ms 16.207 ms
4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 12.933 ms 20.938 ms
5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms
6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms 14.104 ms
7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms
8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms 19.512 ms
9 so-7-0-0-gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms 17.938 ms
10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317 ms 21.202
ms
11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms 19.133 ms
18.830 ms
12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms 20.11 ms
13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms 23.108 ms
14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 38.894 ms 33.244 33.910 ms
15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms 49.466 ms
16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms 51.055 ms
17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms 53.647 ms
18 example-gwl.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms 56.855 ms
19 www.ABC.com (65.195.239.22) 52.191 ms 52.571 ms 56.855 ms
20 www.ABC.com (65.195.239.22) 53.561 ms 54.121 ms 58.333 ms

A.

An application proxy firewall

B.

A stateful inspection firewall

C.

 A host based IDS

D.

A Honeypot

Blake is in charge of securing all 20 of his company’s servers. He has enabled
hardware and software firewalls, hardened the operating systems and disabled all
unnecessary service on all the servers. Unfortunately, there is proprietary AS400
emulation software that must run on one of the servers that requires the telnet
service to function properly. Blake is especially concerned about his since telnet can
be a very large security risk in an organization. Blake is concerned about how his
particular server might look to an outside attacker so he decides to perform some
footprinting scanning and penetration tests on the server. Blake telents into the
server and types the following command:
HEAD/HTTP/1.0
After pressing enter twice, Blake gets the following results:
What has the Blake just accomplished?

A.

Grabbed the banner

B.

Downloaded a file to his local computer

C.

 Submitted a remote command to crash the server

D.

Poisoned the local DNS cache of the server

Gerald, the systems administrator for Hyped Enterprise, has just discovered that his
network has been breached by an outside attacker. After performing routine
maintenance on his servers, his discovers numerous remote tools were installed
that no one claims to have knowledge of in his department.
Gerald logs onto the management console for his IDS and discovers an unknown IP
address that scanned his network constantly for a week and was able to access his
network through a high-level port that was not closed. Gerald traces the IP address
he found in the IDS log to proxy server in Brazil.
Gerald calls the company that owns the proxy server and after searching through
their logs, they trace the source to another proxy server in Switzerland. Gerald calls
the company in Switzerland that owns the proxy server and after scanning through
the logs again, they trace the source back to a proxy server in China.
What tool Geralds’s attacker used to cover their tracks?

A.

Tor

B.

ISA

C.

 IAS

D.

 Cheops