Joe the Hacker breaks into XYZos Linux system and plants a wiretap program in order to sniff passwords and user accounts off the wire. The wiretap program is embedded as a Trojan horse in one of the network utilities. Joe is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode.
What can Joe do to hide the wiretap program from being detected by ifconfig command?
A. Block output to the console whenever the user runs ifconfig command by running screen capture utiliyu
B. Run the wiretap program in stealth mode from being detected by the ifconfig command.
C. Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information being displayed on the console.
D. You cannot disable Promiscuous mode detection on Linux systems.
The normal way to hide these rogue programs running on systems is the use crafted commands like ifconfig and ls.
What is the expected result of the following exploit?
A. Opens up a telnet listener that requires no username or password.
B. Create a FTP server with write permissions enabled.
C. Creates a share called psasfileq on the target system.
D. Creates an account with a user name of Anonymous and a password of firstname.lastname@example.org.
The script being depicted is in perl (both msadc.pl and the script their using as a wrapper) –$port,$your,$user,$pass,$host are variables that hold the port # of a DNS server,an IP,username,and FTP password. $host is set to argument variable 0 (which means the string typed directly after the command). Essentially what happens is it connects to an FTP server and downloads nc.exe (the TCP/IP swiss-army knife — netcat) and uses nc to open a TCP port spawning cmd.exe (cmd.exe is the Win32 DOS shell on NT/2000/2003/XP),cmd.exe when spawned requires NO username or password and has the permissions of the username it is being executed as (probably guest in this instance,although it could be administrator). The #’s in thescript means the text following is a comment,notice the last line in particular,if the # was removed the script would spawn a connection to itself,the host system it was running on.
You have just installed a new Linux file server at your office. This server is going to be used by several individuals in the organization, and unauthorized personnel must not be able to modify any data.
What kind of program can you use to track changes to files on the server?
A. Network Based IDS (NIDS)
B. Personal Firewall
C. System Integrity Verifier (SIV)
D. Linux IP Chains
System Integrity Verifiers like Tripwire aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g.,daily) basis,Tripwire can notify system administrators of corrupted or tampered files,so damage control measures can be taken in a timely manner.
Jimos organization has just completed a major Linux roll out and now all of the organizationos systems are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ.
Which built-in functionality of Linux can achieve this?
A. IP Tables
B. IP Chains
C. IP Sniffer
D. IP ICMP
iptables is a user space application program that allows a system administrator to configure the netfilter tables,chains,and rules (described above). Because iptables requireselevated privileges to operate,it must be executed by user root,otherwise it fails to function. On most Linux systems,iptables is installed as /sbin/iptables. IP Tables performs stateful inspection while the older IP Chains only performs stateless inspection.
WinDump is a popular sniffer which results from the porting to Windows of TcpDump for Linux. What library does it use?
D. None of the above
WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack,and has additional useful features,including kernel-level packet filtering,a network statistics engine and support for remote packet capture.
Several of your co-workers are having a discussion over the etc/passwd file. They are at odds over what types of encryption are used to secure Linux passwords.(Choose all that apply.
A. Linux passwords can be encrypted with MD5
B. Linux passwords can be encrypted with SHA
C. Linux passwords can be encrypted with DES
D. Linux passwords can be encrypted with Blowfish
E. Linux passwords are encrypted with asymmetric algrothims
Linux passwords are enrcypted using MD5,DES,and the NEW addition Blowfish. The default on most linux systems is dependant on the distribution,RedHat uses MD5,while slackware uses DES. The blowfish option is there for those who wish to use it. The encryption algorithm in use can be determined by authconfig on RedHat-based systems,or by reviewing one of two locations,on PAM-based systems (Pluggable Authentication Module) it can be found in /etc/pam.d/,the system-auth file or authconfig files. In other systems it can be found in /etc/security/ directory.
Rebecca has noted multiple entries in her logs about users attempting to connect on ports that are either not opened or ports that are not for public usage. How can she restrict this type of abuse by limiting access to only specific IP addresses that are trusted by using one of the built-in Linux Operating System tools?
A. Ensure all files have at least a 755 or more restrictive permissions.
B. Configure rules using ipchains.
C. Configure and enable portsentry on his server.
D. Install an intrusion detection system on her computer such as Snort.
ipchains is a free software based firewall for Linux. It is a rewrite of Linux’s previous IPv4 firewalling code,ipfwadm. In Linux 2.2,ipchains is required to administer the IP packet filters. ipchains was written because the older IPv4 firewall code used in Linux 2.0 did not work with IP fragments and didn’t allow for specification of protocols other than TCP,UDP,and ICMP.
John is discussing security with Jane. Jane had mentioned to John earlier that she suspects an LKM has been installed on her server. She believes this is the reason that the server has been acting erratically lately. LKM stands for Loadable Kernel Module.
What does this mean in the context of Linux Security?
A. Loadable Kernel Modules are a mechanism for adding functionality to a file system without requiring a kernel recompilation.
B. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel after it has been recompiled and the system rebooted.
C. Loadable Kernel Modules are a mechanism for adding auditing to an operating-system kernel without requiring a kernel recompilation.
D. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel without requiring a kernel recompilation.
Loadable Kernel Modules,or LKM,are object files that contain code to extend the running kernel,or so-called base kernel,without the need of a kernel recompilation. Operating systems other than Linux,such as BSD systems,also provide support for LKM’s. However,theLinux kernel generally makes far greater and more versatile use of LKM’s than other systems. LKM’s are typically used to add support for new hardware,filesystems or for adding system calls. When the functionality provided by an LKM is no longer required,it can be unloaded,freeing memory.
Which of the following snort rules look for FTP root login attempts?
A. alert tcp -> any port 21 (msg:”user root”;)
B. alert tcp -> any port 21 (message:”user root”;)
C. alert ftp -> ftp (content:”user password root”;)
D. alert tcp any any -> any any 21 (content:”user root”;)
The snort rule header is built by defining action (alert),protocol (tcp),from IP subnet port (any any),to IP subnet port (any any 21),Payload Detection Rule Options (content:quser rootq;)
After studying the following log entries, how many user IDs can you identify that the attacker has tampered with?
1. mkdir -p /etc/X11/applnk/Internet/.etc
2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd
3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd
4. touch -acmr /etc /etc/X11/applnk/Internet/.etc
5. passwd nobody -d
6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash
7. passwd dns -d
8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd
9. touch -acmr /etc/X11/applnk/Internet/.etc /etc
Passwd is the command used to modify a user password and it has been used together with the usernames nobody and dns.