Question # 1 In the process of implementing a network vulnerability assessment strategy for a tech company, the security analyst is confronted with the following scenarios:
1) A legacy application is discovered on the network, which no longer receives updates from the vendor.
2) Several systems in the network are found running outdated versions of web browsers prone to distributed attacks.
3) The network firewall has been configured using default settings and passwords.
4) Certain TCP/IP protocols used in the organization are inherently insecure.
The security analyst decides to use vulnerability scanning software. Which of the following limitations of vulnerability assessment should the analyst be most cautious about in this context?
Vulnerability scanning
software is limited
in its ability to perform
live tests on web
applications to detect errors or unexpected behavior Vulnerability scanning
software cannot define
the impact of an identified vulnerability on different business operations Vulnerability scanning
software is limited
in its ability to detect
vulnerabilities at a given
point in time Vulnerability scanning
software is not immune to software engineering flaws that might lead to serious vulnerabilities
being missed
Click for Answer
Vulnerability scanning
software is not immune to software engineering flaws that might lead to serious vulnerabilities
being missed
Answer Description Explanation: Vulnerability scanning software is a tool that can help security analysts identify and prioritize known vulnerabilities in their systems and applications. However, it is not a perfect solution and has some limitations that need to be considered. One of the most critical limitations is that vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed. This means that the software itself might have bugs, errors, or oversights that could affect its accuracy, reliability, or performance. For example, the software might:
Fail to detect some vulnerabilities due to incomplete or outdated databases, incorrect signatures, or insufficient coverage of the target system or application. Produce false positives or false negatives due to misinterpretation of the scan results, incorrect configuration, or lack of context or validation.
Cause unintended consequences or damage to the target system or application due to intrusive or aggressive scanning techniques, such as exploiting vulnerabilities, modifying data, or crashing services.
Be vulnerable to attacks or compromise by malicious actors who could exploit its weaknesses, tamper with its functionality, or steal its data.
Therefore, the security analyst should be most cautious about this limitation of vulnerability scanning software, as it could lead to a false sense of security, missed opportunities for remediation, or increased exposure to threats. The security analyst should always verify the scan results, use multiple tools and methods, and update and patch the software regularly to mitigate this risk.
References:
[CEHv12 Module 03: Vulnerability Analysis]
7 limitations of vulnerability scanners
The pros and cons of vulnerability scanning tools
Question # 2 A large corporate network is being subjected to repeated sniffing attacks. To increase security, the company’s IT department decides to implement a combination of several security measures. They permanently add theMAC address of the gateway to the ARP cache, switch to using IPv6 instead of IPv4, implement the use of encrypted sessions such as SSH instead of Telnet, and use Secure File Transfer Protocol instead of FTP.
However, they are still faced with the threat of sniffing. Considering the countermeasures, what should be their next step to enhance network security?
Use HTTP instead of HTTPS for protecting usernames and passwords Implement network
scanning and monitoring tools Enable network
identification broadcasts Retrieve MAC addresses from the OS
Click for Answer
Implement network
scanning and monitoring tools
Answer Description Explanation: Sniffing attacks are a type of network attack that involves intercepting and analyzing data packets as they travel over a network. Sniffing attacks can be used to steal sensitive information, such as usernames, passwords, credit card numbers, etc. Sniffing attacks can also be used to perform reconnaissance, spoofing, or man-in-the-middle attacks.
The IT department of the company has implemented some security measures to prevent or mitigate sniffing attacks, such as:
Adding the MAC address of the gateway to the ARP cache: This prevents ARP spoofing, which is a technique that allows an attacker to redirect network traffic to their own device by sending fake ARP messages that associate their MAC address with the IP address of the gateway.
Switching to IPv6 instead of IPv4: This reduces the risk of IP spoofing, which is a technique that allows an attacker to send packets with a forged source IP address, pretending to be another device on the network.
Using encrypted sessions such as SSH instead of Telnet, and Secure File Transfer Protocol instead of FTP: This protects the data from being read or modified by an attacker who can capture the packets, as the data is encrypted and authenticated using cryptographic protocols.
However, these measures are not enough to completely eliminate the threat of sniffing, as an attacker can still use other techniques, such as:
Passive sniffing: This involves monitoring the network traffic without injecting any packets or altering the data. Passive sniffing can be done on a shared network, such as a hub, or on a switched network, using techniques such as MAC flooding, port mirroring, or VLAN hopping.
Active sniffing: This involves injecting packets or modifying the data to manipulate the network behavior or gain access to more traffic. Active sniffing can be done using techniques such as DHCP spoofing, DNS poisoning, ICMP redirection, or TCP session hijacking.
Therefore, the next step to enhance network security is to implement network scanning and monitoring tools, which can help detect and prevent sniffing attacks by:
Scanning the network for unauthorized devices, such as rogue access points, hubs, or sniffers, and removing them or isolating them from the network.
Monitoring the network for abnormal traffic patterns, such as excessive ARP requests, DNS queries, ICMP messages, or TCP connections, and alerting the network administrators or blocking the suspicious sources.
Analyzing the network traffic for malicious content, such as malware, phishing, or exfiltration, and filtering or quarantining the infected or compromised devices.
References:
CEHv12 Module 05: Sniffing.
Sniffing attacks - Types, Examples & Preventing it.
How to Prevent and Detect Packet Sniffing Attacks.
Understanding Sniffing in Cybersecurity and How to Prevent It.
Question # 3 An audacious attacker is targeting a web server you oversee. He intends to perform a Slow HTTP POST attack, by manipulating 'a' HTTP connection. Each connection sends a byte of data every 'b' second, effectively holding up the connections for an extended period. Your server is designed to manage 'm' connections per second, but any connections exceeding this number tend to overwhelm the system. Given ‘a=100' and variable 'm', along with the attacker's intention of maximizing the attack duration 'D=a*b', consider the following scenarios. Which is most likely to result in the longest duration of server unavailability?
m=110, b=20: Despite the attacker sending
100 connections, the server can handle 110 connections per second, therefore
likely staying operative, regardless of the
hold-up time per connection m=90, b=15: The server can manage 90 connections per second, but the attacker's 100 connections exceed this, and with each connection held up for 15 seconds, the attack duration could be significant
95, b=10: Here, the server can handle 95 connections per second, but it falls short against the attacker's 100 connections, albeit the hold-up time per connection is lower
m=105, b=12: The server can manage 105 connections per second, more than the attacker's 100 connections, likely maintaining operation despite a moderate hold-up time
Click for Answer
m=90, b=15: The server can manage 90 connections per second, but the attacker's 100 connections exceed this, and with each connection held up for 15 seconds, the attack duration could be significant
Answer Description Explanation: A Slow HTTP POST attack is a type of denial-of-service (DoS) attack that exploits the way web servers handle HTTP requests. The attacker sends a legitimate HTTP POST header to the web server, specifying a large amount of data to be sent in the request body. However, the attacker then sends the data very slowly, keeping the connection open and occupying the server’s resources. The attacker can launch multiple such connections, exceeding the server’s capacity to handle concurrent requests and preventing legitimate users from accessing the web server.
The attack duration D is given by the formula D = a * b, where a is the number of connections and b is the hold-up time per connection. The attacker intends to maximize D by manipulating a and b. The server can manage m connections per second, but any connections exceeding m will overwhelm the system. Therefore, the scenario that is most likely to result in the longest duration of server unavailability is the one where a > m and b is the largest. Among the four options, this is the case for option B, where a = 100, m = 90, and b = 15. In this scenario, D = 100 * 15 = 1500 seconds, which is the longest among the four options. Option A has a larger b, but a < m, so the server can handle the connections without being overwhelmed. Option C has a > m, but a smaller b, so the attack duration is shorter. Option D has a > m, but a smaller b and a smaller difference between a and m, so the attack duration is also shorter.
References:
What is a Slow POST Attack & How to Prevent One? (Guide)
Mitigate Slow HTTP GET/POST Vulnerabilities in the Apache HTTP Server - Acunetix
What is a Slow Post DDoS Attack? | NETSCOUT
Question # 4 As a part of an ethical hacking exercise, an
attacker is probing a target network that is suspected to employ various
honeypot systems for security. The attacker needs to detect and bypass these honeypots without
alerting the target. The attacker decides to utilize a suite of techniques.
Which of the following techniques would NOT assist in detecting a honeypot? Probing system services and observing the three-way handshake Using honeypot
detection tools like Send-Safe
Honeypot Hunter Implementing a brute
force attack to verify system vulnerability Analyzing the MAC address
to detect instances running on VMware
Click for Answer
Implementing a brute
force attack to verify system vulnerability
Answer Description Explanation: A brute force attack is a method of trying different combinations of passwords or keys to gain access to a system or service. It is not a reliable way of detecting a honeypot, as it may trigger an alert or response from the target. Moreover, a brute force attack does not provide any information about the system’s characteristics or behavior that could indicate a honeypot. A honeypot is a decoy system that is designed to attract and trap attackers, while providing security teams with valuable intelligence and insights. Therefore, an ethical hacker needs to use more subtle and stealthy techniques to detect and avoid honeypots.
The other options are valid techniques for detecting a honeypot. Probing system services and observing the three-way handshake can reveal anomalies or inconsistencies in the system’s responses, such as abnormal banners, ports, or protocols. Using honeypot detection tools like Send-Safe Honeypot Hunter can scan the target network and identify potential honeypots based on various criteria, such as IP address, domain name, or open ports. Analyzing the MAC address can detect instances running on VMware, which is a common platform for deploying honeypots. A honeypot running on VMware will have a MAC address that starts with 00:0C:29, 00:50:56, or 00:05:69.
References:
What is a Honeypot? Types, Benefits, Risks and Best Practices
Using Honeypots for Network Intrusion Detection Detecting Honeypot Access With Varonis
Question # 5 Sarah, a system administrator, was alerted of potential malicious activity on the network of her company. She discovered a malicious program spread through the instant messenger application used by her team. The attacker had obtained access to one of her teammate's messenger accounts and started sending files across the contact list. Which best describes the attack scenario and what measure could have prevented it?
Instant Messenger Applications; verifying the
sender's identity before opening any files Insecure Patch Management; updating application software regularly Rogue/Decoy Applications; ensuring software is labeled
as TRUSTED Portable Hardware
Media/Removable Devices; disabling
Autorun functionality
Click for Answer
Instant Messenger Applications; verifying the
sender's identity before opening any files
Answer Description Explanation: The attack scenario is best described as Instant Messenger Applications, and the measure that could have prevented it is verifying the sender’s identity before opening any files. Instant Messenger Applications are communication tools that allow users to exchange text, voice, video, and file messages in real time. However, they can also be used as attack vectors for spreading malware, such as viruses, worms, or Trojans, by exploiting the trust and familiarity between the users. In this scenario, the attacker compromised one of the team member’s messenger account and used it to send malicious files to the other team members, who may have opened them without suspicion, thus infecting their systems. This type of attack is also known as an instant messaging worm12. To prevent this type of attack, the users should verify the sender’s identity before opening any files sent through instant messenger applications. This can be done by checking the sender’s profile, asking for confirmation, or using a secure channel. Additionally, the users should also follow other security tips, such as using strong passwords, updating the application software, scanning the files with antivirus software, and reporting any suspicious activity34.
References:
1: Instant Messaging Worm - Techopedia
2: Cybersecurity’s Silent Foe: A Comprehensive Guide to Computer Worms | Silent Quadrant
3: Instant Messenger Hacks: 10 Security Tips to Protect Yourself - MUO
4: Increased phishing attacks on instant messaging platforms: how to prevent them | Think Digital Partners
How to Pass ECCouncil 312-50v12 Exam?
1
Buy Dumps
Get the most accurate ECCouncil prep with our exam-focused 312-50v12 dumps. Real questions and verified answers – the ultimate tool for passing on your first try.
2
Preparation
Prep for the CEH v12 exam from the comfort of your home. Download our 312-50v12 practice questions and start studying today!
3
Success
Don't be surprised on exam day! Our accurate Certified Ethical Hacker Exam (CEHv12) practice questions match the real exam format. Prepare at home and walk into your exam with ease.
