Topic 2, Footprinting
You are footprinting the www.xsecurity.com domain using the Google Search
Engine. You would like to determine what sites link to www.xsecurity .com at the
first level of revelance.
Which of the following operator in Google search will you use to achieve this?
A.
Link: www.xsecurity.com
B.
serch?l:www.xsecurity.com
C.
level1.www.security.com
D.
pagerank:www.xsecurity.com
Link: www.xsecurity.com
Explanation: The query [link:] will list webpages that have links to the specified webpage.
For instance, [link:www.google.com] will list webpages that have links pointing to the
Google homepage. Note there can be no space between the "link:" and the web page url.
Snort has been used to capture packets on the network. On studying the packets,
the penetration tester finds it to be abnormal. If you were the penetration tester, why
would you find this abnormal?
(Note: The student is being tested on concept learnt during passive OS
fingerprinting, basic TCP/IP connection concepts and the ability to read packet
signatures from a sniff dumo.)
05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seq: 0XA1D95 Ack: 0x53 Win: 0x400
.
.
.
05/20-17:06:58.685879 192.160.13.4:31337 -> 172.16.1.101:1024
TCP TTL:44 TOS:0x10 ID:24242
***FRP** Seg: 0XA1D95 Ack: 0x53 Win: 0x400
What is odd about this attack? (Choose the most appropriate statement)
A.
This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
B.
This is back orifice activity as the scan comes from port 31337.
C.
The attacker wants to avoid creating a sub-carrier connection that is not normally valid.
D.
There packets were created by a tool; they were not created by a standard IP stack.
This is back orifice activity as the scan comes from port 31337.
Explanation: Port 31337 is normally used by Back Orifice. Note that 31337 is hackers
spelling of ‘elite’, meaning ‘elite hackers’.
A Company security System Administrator is reviewing the network system log files.
He notes the following:
Network log files are at 5 MB at 12:00 noon.
At 14:00 hours, the log files at 3 MB.
What should he assume has happened and what should he do about the situation?
A.
He should contact the attacker’s ISP as soon as possible and have the connection
disconnected.
B.
He should log the event as suspicious activity, continue to investigate, and take further
steps according to site security policy.
C.
He should log the file size, and archive the information, because the router crashed.
D.
He should run a file system check, because the Syslog server has a self correcting file
system problem.
E.
He should disconnect from the Internet discontinue any further unauthorized use,
because an attack has taken place.
He should log the event as suspicious activity, continue to investigate, and take further
steps according to site security policy.
Explanation: You should never assume a host has been compromised without verification.
Typically, disconnecting a server is an extreme measure and should only be done when it
is confirmed there is a compromise or the server contains such sensitive data that the loss
of service outweighs the risk. Never assume that any administrator or automatic process is
making changes to a system. Always investigate the root cause of the change on the
system and follow your organizations security policy.
The terrorist organizations are increasingly blocking all traffic from North America or
from Internet Protocol addresses that point to users who rely on the English
Language.
Hackers sometimes set a number of criteria for accessing their website. This
information is shared among the co-hackers. For example if you are using a machine
with the Linux Operating System and the Netscape browser then you will have
access to their website in a convert way. When federal investigators using PCs
running windows and using Internet Explorer visited the hacker’s shared site, the
hacker’s system immediately mounted a distributed denial-of-service attack against
the federal system.
Companies today are engaging in tracking competitor’s through reverse IP address
lookup sites like whois.com, which provide an IP address’s domain. When the
competitor visits the companies website they are directed to a products page
without discount and prices are marked higher for their product. When normal users
visit the website they are directed to a page with full-blown product details along
with attractive discounts. This is based on IP-based blocking, where certain
addresses are barred from accessing a site.
What is this masking technique called?
A.
Website Cloaking
B.
Website Filtering
C.
IP Access Blockade
D.
Mirrored WebSite
Website Cloaking
Explanation: Website Cloaking travels under a variety of alias including Stealth, Stealth
scripts, IP delivery, Food Script, and Phantom page technology. It’s hot- due to its ability to
manipulate those elusive top-ranking results from spider search engines.
Bill has started to notice some slowness on his network when trying to update his
company’s website while trying to access the website from the Internet. Bill asks the
help desk manager if he has received any calls about slowness from the end users,
but the help desk manager says that he has not. Bill receives a number of calls from
customers that can’t access the company website and can’t purchase anything
online. Bill logs on to a couple of this routers and notices that the logs shows
network traffic is at all time high. He also notices that almost all the traffic is
originating from a specific address.
Bill decides to use Geotrace to find out where the suspect IP is originates from. The
Geotrace utility runs a traceroute and finds that IP is coming from Panama. Bill
knows that none of his customers are in Panama so he immediately thinks that his
company is under a Denial of Service attack. Now Bill needs to find out more about
the originating IP Address.
What Internet registry should Bill look in to find the IP Address?
A.
LACNIC
B.
ARIN
C.
RIPELACNIC
D.
APNIC
LACNIC
Explanation: LACNIC is the Latin American and Caribbean Internet Addresses Registry
that administers IP addresses, autonomous system numbers, reverse DNS, and other
network resources for that region
Page 4 out of 153 Pages |
Previous |