- Email support@dumps4free.com
Topic 19, Evading IDS, Firewalls and Honeypots
ETHER: Destination address : 0000BA5EBA11 ETHER: Source address :
00A0C9B05EBD ETHER: Frame Length : 1514 (0x05EA) ETHER: Ethernet Type :
0x0800 (IP) IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP:
Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal
Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal
Reliability IP: Total Length = 1500 (0x5DC) IP: Identification = 7652
(0x1DE4) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in
datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset =
0
(0x0) bytes IP: Time to Live = 127 (0x7F) IP: Protocol = TCP -
Transmission Control IP: Checksum = 0xC26D IP: Source Address =
10.0.0.2 IP:
Destination Address = 10.0.1.201 TCP: Source Port = Hypertext Transfer
Protocol TCP: Destination Port = 0x1A0B TCP: Sequence Number =
97517760 (0x5D000C0) TCP: Acknowledgement Number = 78544373 (0x4AE7DF5)
TCP:
Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags =
0x10 : .A.... TCP: ..0..... = No urgent data TCP: ...1.... =
Acknowledgement field significant TCP: ....0... = No Push function TCP:
.....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No
Fin TCP: Window = 28793 (0x7079) TCP: Checksum = 0x8F27 TCP: Urgent
Pointer = 0 (0x0)
An employee wants to defeat detection by a network-based IDS application. He does
not want to attack the system containing the IDS application. Which of the following
strategies can be used to defeat detection by a network-based IDS application?
A.
Create a SYN flood
B.
Create a network tunnel
C.
Create multiple false positives
D.
Create a ping flood
Create a network tunnel
Explanation: Certain types of encryption presents challenges to network-based intrusion
detection and may leave the IDS blind to certain attacks, where a host-based IDS analyzes
the data after it has been decrypted.
This IDS defeating technique works by splitting a datagram (or packet) into multiple
fragments and the IDS will not spot the true nature of the fully assembled datagram.
The datagram is not reassembled until it reaches its final destination. It would be a
processor-intensive tasks for an IDS to reassemble all fragments itself and on a
busy system the packet will slip through the IDS onto the network.
What is this technique called?
A.
IP Fragmentation or Session Splicing
B.
IP Routing or Packet Dropping
C.
IDS Spoofing or Session Assembly
D.
IP Splicing or Packet Reassembly
IP Fragmentation or Session Splicing
Explanation: The basic premise behind session splicing, or IP Fragmentation, is to deliver
the payload over multiple packets thus defeating simple pattern matching without session
reconstruction. This payload can be delivered in many different manners and even spread
out over a long period of time. Currently, Whisker and Nessus have session splicing
capabilities, and other tools exist in the wild.
A.
Idle Scan
B.
Windows Scan
C.
XMAS Scan
D.
SYN Stealth Scan
XMAS Scan
Explanation: An Xmas port scan is variant of TCP port scan. This type of scan tries to
obtain information about the state of a target port by sending a packet which has multiple
TCP flags set to 1 - "lit as an Xmas tree". The flags set for Xmas scan are FIN, URG and
PSH. The purpose is to confuse and bypass simple firewalls. Some stateless firewalls only
check against security policy those packets which have the SYN flag set (that is, packets
that initiate connection according to the standards). Since Xmas scan packets are different,
they can pass through these simple systems and reach the target host.
You are performing a port scan with nmap. You are in hurry and conducting the
scans at the fastest possible speed. However, you don't want to sacrifice reliability
for speed. If stealth is not an issue, what type of scan should you run to get very
reliable results?
A.
XMAS scan
B.
Stealth scan
C.
Connect scan
D.
Fragmented packet scan
Connect scan
Explanation: A TCP Connect scan, named after the Unix connect() system call is the most
accurate scanning method. If a port is open the operating system completes the TCP threeway
handshake, and the port scanner immediately closes the connection.
Snort is an open source Intrusion Detection system. However, it can also be used for
a few other purposes as well.
Which of the choices below indicate the other features offered by Snort?
A.
IDS, Packet Logger, Sniffer
B.
IDS, Firewall, Sniffer
C.
IDS, Sniffer, Proxy
D.
IDS, Sniffer, content inspector
IDS, Packet Logger, Sniffer
Explanation: Snort is a free software network intrusion detection and prevention system
capable of performing packet logging & real-time traffic analysis, on IP networks. Snort was
written by Martin Roesch but is now owned and developed by Sourcefire
| Page 30 out of 153 Pages |
| Previous |