Which one of the following attacks will pass through a network layer intrusion detection system undetected?
A. A teardrop attack
B. A SYN flood attack
C. A DNS spoofing attack
D. A test.cgi attack
Because a network-based IDS reviews packets and headers,it can also detect denial of service (DoS) attacks Not A or B: The following sections discuss some of the possible DoS attacks available. Smurf Fraggle SYN Flood Teardrop DNS DoS Attacksq
Why would an ethical hacker use the technique of firewalking?
A. It is a technique used to discover wireless network on foot.
B. It is a technique used to map routers on a network link.
C. It is a technique used to discover the nature of rules configured on a gateway.
D. It is a technique used to discover interfaces in promiscuous mode.
Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attackeros host to a destination host through a packet-filtering device. This technique can be used to map nopeno or npass througho ports on a gateway. More over,it can determine whether packets with various control information can pass through a given gateway.
What makes web application vulnerabilities so aggravating? (Choose two)
A. They can be launched through an authorized port.
B. A firewall will not stop them.
C. They exist only on the Linux platform.
D. They are detectable by most leading antivirus software.
As the vulnerabilities exists on a web server,incoming traffic on port 80 will probably be allowed and no firewall rules will stop the attack.
An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application.
Which of the following strategies can be used to defeat detection by a network-based IDS application? (Choose the best answer)
A. Create a network tunnel.
B. Create a multiple false positives.
C. Create a SYN flood.
D. Create a ping flood.
Certain types of encryption presents challenges to network-based intrusion detection and may leave the IDS blind to certain attacks,where a host-based IDS analyzes the data after it has been decrypted.
Carl has successfully compromised a web server from behind a firewall by exploiting a vulnerability in the web server program. He wants to proceed by installing a backdoor program. However, he is aware that not all inbound ports on the firewall are in the open state.
From the list given below, identify the port that is most likely to be open and allowed to reach the server that Carl has just compromised.
Port 53 is used by DNS and is almost always open,the problem is often that the port is opened for the hole world and not only for outside DNS servers.
While scanning a network you observe that all of the web servers in the DMZ are responding to ACK packets on port 80.
What can you infer from this observation?
A. They are using Windows based web servers.
B. They are using UNIX based web servers.
C. They are not using an intrusion detection system.
D. They are not using a stateful inspection firewall.
If they used a stateful inspection firewall this firewall would know if there has been a SYN-ACK before the ACK.
You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discover the internal structure of publicly accessible areas of the network.
How can you achieve this?
A. Block ICMP at the firewall.
B. Block UDP at the firewall.
C. Both A and B.
D. There is no way to completely block doing a trace route into this area.
When you run a traceroute to a target network address,you send a UDP packet with one time to live (TTL) to the target address. The first router this packet hits decreases the TTL to 0 and rejects the packet. Now the TTL for the packet is expired. The router sends back an ICMP message type 11 (Exceeded) code 0 (TTL–Exceeded) packet to your system with a source address. Your system displays the round-trip time for that first hop and sends out the next UDP packet with a TTL of 2.
This process continues until you receive an ICMP message type 3 (Unreachable) code 3 (Port–Unreachable) from the destination system. Traceroute is completed when your machine receives a Port-Unreachable message.
If you receive a message with three asterisks [* * *] during the traceroute,a router in the path doesn’t return ICMP messages. Traceroute will continue to send UDP packets until the destination is reached or the maximum number of hops is exceeded.
Bob, an Administrator at XYZ was furious when he discovered that his buddy Trent, has launched a session hijack attack against his network, and sniffed on his communication, including administrative tasks suck as configuring routers, firewalls, IDS, via Telnet.
Bob, being an unhappy administrator, seeks your help to assist him in ensuring that attackers such as Trent will not be able to launch a session hijack in XYZ.
Based on the above scenario, please choose which would be your corrective measurement actions. (Choose two)
A. Use encrypted protocols,like those found in the OpenSSH suite.
B. Implement FAT32 filesystem for faster indexing and improved performance.
C. Configure the appropriate spoof rules on gateways (internal and external).
D. Monitor for CRP caches,by using IDS products.
First you should encrypt the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services,because it completely prevents sniffing-style attacks. However,it could still be possible to perform some other kind of session hijack. By configuring the appropriate spoof rules you prevent the attacker from using the same IP address as the victim as thus you can implement secondary check to see that the IP does not change in the middle of the session.
Network Intrusion Detection systems can monitor traffic in real time on networks.
Which one of the following techniques can be very effective at avoiding proper detection?
A. Fragmentation of packets.
B. Use of only TCP based protocols.
C. Use of only UDP based protocols.
D. Use of fragmented ICMP traffic only.
If the default fragmentation reassembly timeout is set to higher on the client than on the IDS then the it is possible to send an attack in fragments that will never be reassembled in the IDS but they will be reassembled and read on the client computer acting victim.
What do you conclude from the nmap results below?
Staring nmap V. 3.10ALPHA0 (www.insecure.org/map/)
(The 1592 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
25/tcp open smtp
80/tcp open http
443/tcp open https
Remote operating system guess: Too many signatures match the reliability guess the OS. Nmap run completed Ƀ 1 IP address (1 host up) scanned in 91.66 seconds
A. The system is a Windows Domain Controller.
B. The system is not firewalled.
C. The system is not running Linux or Solaris.
D. The system is not properly patched.
There is no reports of any ports being filtered.