- (Topic 4)
In which of the following techniques does an attacker take network traffic coming towards a host at one port and forward it from that host to another host?
Correct Answer:
D
Port redirection is a technique by which an attacker takes network traffic coming towards a host at one port and redirects it from that host to another host. For example, tools such as Fpipe and Datapipe are port redirection tools that accept connections at any specified port and resend them to other specified ports on specified hosts. For example, the following command establishes a listener on port 25 on the test system and then redirects the connection to port 80 on the target system using the source port of 25. C.\>fpipe -l 25 -s 25 -r 80 IP_address Answer C is incorrect. Firewalking is a technique for gathering information about a remote network protected by a firewall. This technique can be used effectively to perform information gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past the firewall. If the firewall allows this crafted packet through, it forwards the packet to the next hop. On the next hop, the packet expires and elicits an ICMP "TTL expired in transit" message to the attacker. If the firewall does not allow the traffic, there should be no response, or an ICMP "administratively prohibited" message should be returned to the attacker. A malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall. To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. The main drawback of this technique is that if an administrator blocks ICMP packets from leaving the network, it is ineffective. Answer A is incorrect. Snooping is an activity of observing the content that appears on a computer monitor or watching what a user is typing. Snooping also occurs by using software programs to remotely monitor activity on a computer or network device. Hackers or attackers use snooping techniques and equipment such as keyloggers to monitor keystrokes, capture passwords and login information, and to intercept e-mail and other private communications. Sometimes, organizations also snoop their employees legitimately to monitor their use of organizations' computers and track Internet usage. Answer B is incorrect. In UDP port scanning, a UDP packet is sent to each port of the target system. If the remote port is closed, the server replies that the remote port is unreachable. If the remote Port is open, no such error is generated. Many firewalls block the TCP port scanning, at that time the UDP port scanning may be useful. Certain IDS and firewalls can detect UDP port scanning easily.
- (Topic 4)
Which of the following is an Internet mapping technique that relies on various BGP collectors that collect information such as routing updates and tables and provide this information publicly?
Correct Answer:
C
AS PATH Inference is one of the prominent techniques used for creating Internet maps. This technique relies on various BGP collectors that collect information such as routing updates and tables and provide this information publicly. Each BGP entry contains a Path Vector attribute called the AS Path. This path represents an autonomous system forwarding path from a given origin for a given set of prefixes. These paths can be used to infer AS-level connectivity and in turn be used to build AS topology graphs. However, these paths do not necessarily reflect how data is actually forwardeA, Ddjacencies between AS nodes only represent a policy relationship between them. A single AS link can in reality be several router links. It is also much harder to infer peering between two AS nodes, as these peering relationships are only propagated to an ISP's customer networks. Nevertheless, support for this type of mapping is increasing as more and more ISP's offer to peer with public route collectors such as Route-Views and RIPE. New toolsets are emerging such as Cyclops and NetViews that take advantage of a new experimental BGP collector BGPMon. NetViews can not only build topology maps in seconds but visualize topology changes moments after occurring at the actual router. Hence, routing dynamics can be visualized in real time. Answer B is incorrect. There is no such Internet mapping technique.
Answer D is incorrect. Firewalking is a technique for gathering information about a remote network protected by a firewall. This technique can be used effectively to perform information gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past the firewall. If the firewall allows this crafted packet through, it forwards the packet to the next hop. On the next hop, the packet expires and elicits an ICMP "TTL expired in transit" message to the attacker. If the firewall does not allow the traffic, there should be no response, or an ICMP "administratively prohibited" message should be returned to the attacker. A malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall. To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. The main drawback of this technique is that if an administrator blocks ICMP packets from leaving the network, it is ineffective. Answer A is incorrect. Path MTU discovery (PMTUD) is a technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. Path MTU discovery works by setting the DF (Don't Fragment) option bit in the IP headers of outgoing packets. Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP "Fragmentation Needed" (Type 3, Code 4) message containing its MTU, allowing the source host to reduce its path MTU appropriately. The process repeats until the MTU is small enough to traverse the entire path without fragmentation. If the path MTU changes after the connection is set up and is lower than the previously determined path MTU, the first large packet will cause an ICMP error and the new, lower path MTU will be found. Conversely, if PMTUD finds that the path allows a larger MTU than what is possible on the lower link, the OS will periodically reprobe to see if the path has changed and now allows larger packets. On Linux this timer is set by default to ten minutes.
- (Topic 3)
Mark works as a Network Administrator for We-are-secure Inc. He finds that the We-are- secure server has been infected with a virus. He presents to the company a report that describes the symptoms of the virus. A summary of the report is given below: This virus has a dual payload, as the first payload of the virus changes the first megabyte of the hard drive to zero. Due to this, the contents of the partition tables are deleted and the computer hangs. The second payload replaces the code of the flash BIOS with garbage values. This virus spreads under the Portable Executable File Format under Windows 95, Windows 98, and Windows ME. Which of the following viruses has the symptoms as the one described above?
Correct Answer:
C
The Chernobyl (CIH) virus is a good example of a dual payload virus. Since the first payload of the virus changes the first megabyte of a computer's hard drive to zero, the contents of the partition tables are deleted, resulting in the computer hanging. The second payload of CIH replaces the code of the flash BIOS with garbage values so that the flash BIOS is unable to give a warning, the end result being that the user is incapable of changing the BIOS settings. CIH spreads under the Portable Executable file format under Windows 95, Windows 98, and Windows ME.
Answer A is incorrect. The I LOVE YOU virus is a VBScript virus in which a victim gets an email attachment titled as "I Love You" with an attachment file named as "Love-Letter-For- You.txt.vbs". When the victim clicks on this attachment, the virus script infects the victim's computer. The virus first scans system's memory for passwords, which are sent back to the virus' creator. In the next step, the virus replicates itself and sends its copy to each address in the victim's Outlook address book. Finally, the virus corrupts files with extensions .vbs, .vbe, .js, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp2, and .mp3 by overwriting them with a copy of itself. Answer D is incorrect. The Melissa virus infects Word 97 documents and the NORMAL.DOT file of Word 97 and Word 2000. This macro virus resides in word documents containing one macro named as "Melissa". The Melissa virus has the ability to spread itself very fast by using an e-mail. When the document infected by the Melissa virus is opened for the first time, the virus checks whether or not the user has installed Outlook on the computer. If it finds the Outlook, it sends e-mail to 50 addresses from the address book of the Outlook. This virus can spread only by using the Outlook. This virus is also known as W97M/Melissa, Kwyjibo, and Word97.Meliss Answer B is incorrect. Nimda is a mass mailing virus that spreads itself in attachments named README.EXE. It affects Windows 95, 98, ME, NT4, and Windows 2000 users. Nimda uses the Unicode exploit to infect IIS Web servers.
- (Topic 2)
You have to ensure that your Cisco Router is only accessible via telnet and ssh from the following hosts and subnets: 10.10.2.103 10.10.0.0/24 Which of the following sets of commands will you use to accomplish the task?
Correct Answer:
C
In order to accomplish the task, you will have to run the following sets of commands: access-list 10 permit host 10.10.2.103 access-list 10 permit 10.10.0.0 0.0.0.255 access-list 10 deny any line vty 0 4 access-class 10 in This configuration set meets all the requirements. The ACL is correctly configured and is applied to the VTY lines using the access-class command for inbound connections. Answer D is incorrect. This
configuration actually creates 3 separate ACL's (10, 11, and 12) and also incorrectly attempts to apply the ACL's to the VTY lines. Answer A is incorrect. This configuration is correct except for the access-class command being applied in the outbound direction. When using "access-class out", the router will not match connections coming into the router for Telnet and/or SSH. Instead, it will match connections being generated from the router. Answer B is incorrect. This configuration is correct except for the access-group command. Access-group is used to apply ACLs to an interface. Access-class is used to apply ACLs to VTY lines.
- (Topic 2)
Which of the following security policies will you implement to keep safe your data when you connect your Laptop to the office network over IEEE 802.11 WLANs? (Choose two)
Correct Answer:
AD
According to the scenario, you want to implement a security policy to keep safe your data when you connect your Laptop to the office network over IEEE 802.11 WLANs. For this, you will use the following two options:
* 1. Using IPSec enabled VPN for remote connectivity: Internet Protocol Security (IPSec) is a
standard-based protocol that provides the highest level of VPN security. IPSec can encrypt virtually everything above the networking layer. It is used for VPN connections that use the L2TP protocol. It secures both data and password.
* 2. Using personal firewall software on your Laptop: You can also create a firewall rule to block malicious packets so that you can secure your network. Answer C is incorrect. Portscanner is used for scanning port and tells which ports are open. However, this tool is very much useful in information gathering step of the attacking process, it cannot be used to protect a WLAN network. Answer B is incorrect. You cannot use the packet analyzer to protect your network. Packet analyzer is used to analyze data packets flowing in the network.