During a black-box pen test you attempt to pass IRC traffic over port 80/TCP from a compromised
web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type
of firewall is inspecting outbound traffic?
C
Explanation:
https://en.wikipedia.org/wiki/Internet_Relay_Chat
Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in text. The
chat process works on a client/server networking model. IRC clients are computer programs that
users can install on their system or web-based applications running either locally in the browser or
on a third-party server. These clients communicate with chat servers to transfer messages to other
clients.
IRC is a plaintext protocol that is officially assigned port 194, according to IANA. However, running
the service on this port requires running it with root-level permissions, which is inadvisable. As a
result, the well-known port for IRC is 6667, a high-number port that does not require elevated
privileges. However, an IRC server can also be configured to run on other ports as well.
You can't tell if an IRC server is designed to be malicious solely based on port number. Still, if you see
an IRC server running on port a WKP such as 80, 8080, 53, 443, it's almost always going to be
malicious; the only real reason for IRCD to be running on port 80 is to try to evade firewalls.
https://en.wikipedia.org/wiki/Application_firewall
An application firewall is a form of firewall that controls input/output or system calls of an
application or service. It operates by monitoring and blocking communications based on a configured
policy, generally with predefined rule sets to choose from. The application firewall can control
communications up to the OSI model's application layer, which is the highest operating layer, and
where it gets its name. The two primary categories of application firewalls are network-based and
host-based.
Application layer filtering operates at a higher level than traditional security appliances. This allows
packet decisions to be made based on more than just source/destination IP Addresses or ports. It can
also use information spanning across multiple connections for any given host.
Network-based application firewalls
Network-based application firewalls operate at the application layer of a TCP/IP stack. They can
understand certain applications and protocols such as File Transfer Protocol (FTP), Domain Name
System (DNS), or Hypertext Transfer Protocol (HTTP). This allows it to identify unwanted applications
or services using a non-standard port or detect if an allowed protocol is being abused.
Host-based application firewalls
A host-based application firewall monitors application system calls or other general system
communication. This gives more granularity and control but is limited to only protecting the host it is
running on. Control is applied by filtering on a per-process basis. Generally, prompts are used to
define rules for processes that have not yet received a connection. Further filtering can be done by
examining the process ID of the owner of the data packets. Many host-based application firewalls are
combined or used in conjunction with a packet filter.
By using a smart card and pin, you are using a two-factor authentication that satisfies
B
Explanation:
Two-factor Authentication or 2FA is a user identity verification method, where two of the three
possible authentication factors are combined to grant access to a website or application.1)
something the user knows, 2) something the user has, or 3) something the user is.
The possible factors of authentication are:
· Something the User Knows:
This is often a password, passphrase, PIN, or secret question. To satisfy this authentication challenge,
the user must provide information that matches the answers previously provided to the organization
by that user, such as “Name the town in which you were born.”
· Something the User Has:
This involves entering a one-time password generated by a hardware authenticator. Users carry
around an authentication device that will generate a one-time password on command. Users then
authenticate by providing this code to the organization. Today, many organizations offer software
authenticators that can be installed on the user’s mobile device.
· Something the User Is:
This third authentication factor requires the user to authenticate using biometric data. This can
include fingerprint scans, facial scans, behavioral biometrics, and more.
For example: In internet security, the most used factors of authentication are:
something the user has (e.g., a bank card) and something the user knows (e.g., a PIN code). This is
two-factor authentication. Two-factor authentication is also sometimes referred to as strong
authentication, Two-Step Verification, or 2FA.
The key difference between Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA)
is that, as the term implies, Two-Factor Authentication utilizes a combination of two out of three
possible authentication factors. In contrast, Multi-Factor Authentication could utilize two or more of
these authentication factors.
“........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on
the premises, but actually has been set up to eavesdrop on wireless communications. It is the
wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or
mobile phone to a tainted hot-spot by posing as a legitimate provider. This type of attack may be
used to steal the passwords of
unsuspecting users by either snooping the communication link or by phishing, which involves setting
up a fraudulent web site and luring people there.”
Fill in the blank with appropriate choice.
A
Explanation:
https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)
An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a
legitimate access point to steal victims’ sensitive details. Most often, the victims of such attacks are
ordinary people like you and me.
The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is
used to eavesdrop on users and steal their login credentials or other sensitive information. Because
the hacker owns the equipment being used, the victim will have no idea that the hacker might be
intercepting things like bank transactions.
An evil twin access point can also be used in a phishing scam. In this type of attack, victims will
connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their
sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once
the hacker gets them, they might simply disconnect the victim and show that the server is
temporarily unavailable.
ADDITION: It may not seem obvious what happened. The problem is in the question statement. The
attackers were not Alice and John, who were able to connect to the network without a password, but
on the contrary, they were attacked and forced to connect to a fake network, and not to the real
network belonging to Jane.
What term describes the amount of risk that remains after the vulnerabilities are classified and the
countermeasures have been deployed?
A
Explanation:
https://en.wikipedia.org/wiki/Residual_risk
The residual risk is the risk or danger of an action or an event, a method or a (technical) process that,
although being abreast with science, still conceives these dangers, even if all theoretically possible
safety measures would be applied (scientifically conceivable measures); in other words, the amount
of risk left over after natural or inherent risks have been reduced by risk controls.
· Residual risk = (Inherent risk) – (impact of risk controls)
Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small sized
packets to the target computer, making it very difficult for an IDS to detect the attack signatures.
Which tool can be used to perform session splicing attacks?
D
Explanation:
«Many IDS reassemble communication streams; hence, if a packet is not received within a
reasonable period, many IDS stop reassembling and handling that stream. If the application under
attack keeps a session active for a longer time than that spent by the IDS on reassembling it, the IDS
will stop. As a result, any session after the IDS stops reassembling the sessions will be susceptible to
malicious data theft by attackers. The IDS will not log any attack attempt after a successful splicing
attack. Attackers can use tools such as Nessus for session splicing attacks.»
Did you know that the EC-Council exam shows how well you know their official book? So, there is no
"Whisker" in it. In the chapter "Evading IDS" -> "Session Splicing", the recommended tool for
performing a session-splicing attack is Nessus. Where Wisker came from is not entirely clear, but I
will assume the author of the question found it while copying Wikipedia.
https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques
One basic technique is to split the attack payload into multiple small packets so that the IDS must
reassemble the packet stream to detect the attack. A simple way of splitting packets is by
fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker'
evasion tool calls crafting packets with small payloads 'session splicing'.
By itself, small packets will not evade any IDS that reassembles packet streams. However, small
packets can be further modified in order to complicate reassembly and detection. One evasion
technique is to pause between sending parts of the attack, hoping that the IDS will time out before
the target computer does. A second evasion technique is to send the packets out of order, confusing
simple packet re-assemblers but not the target computer.
NOTE: Yes, I found scraps of information about the tool that existed in 2012, but I can not give you
unverified information. According to the official tutorials, the correct answer is Nessus, but if you
know anything about Wisker, please write in the QA section. Maybe this question will be updated
soon, but I'm not sure about that.
You have successfully comprised a server having an IP address of 10.10.0.5. You would like to
enumerate all machines in the same network quickly.
What is the best Nmap command you will use?
B
Explanation:
https://nmap.org/book/man-port-specification.html
NOTE: In my opinion, this is an absolutely wrong statement of the question. But you may come
across a question with a similar wording on the exam. What does "fast" mean? If we want to increase
the speed and intensity of the scan we can select the mode using the -T flag (0/1/2/3/4/5). At high -T
values, we will sacrifice stealth and gain speed, but we will not limit functionality.
«nmap -T4 -F 10.10.0.0/24» This option is "correct" because of the -F flag.
-F (Fast (limited port) scan)
Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common
1,000 ports for each scanned protocol. With -F, this is reduced to 100.
Technically, scanning will be faster, but just because we have reduced the number of ports by 10
times, we are just doing 10 times less work, not faster.
Which of the following is the BEST way to defend against network sniffing?
A
Explanation:
https://en.wikipedia.org/wiki/Sniffing_attack
To prevent networks from sniffing attacks, organizations and individual users should keep away from
applications using insecure protocols, like basic HTTP authentication, File Transfer Protocol (FTP), and
Telnet. Instead, secure protocols such as HTTPS, Secure File Transfer Protocol (SFTP), and Secure Shell
(SSH) should be preferred. In case there is a necessity for using any insecure protocol in any
application, all the data transmission should be encrypted. If required, VPN (Virtual Private
Networks) can be used to provide secure access to users.
NOTE: I want to note that the wording "best option" is valid only for the EC-Council's exam since the
other options will not help against sniffing or will only help from some specific attack vectors.
The sniffing attack surface is huge. To protect against it, you will need to implement a complex of
measures at all levels of abstraction and apply controls at the physical, administrative, and technical
levels. However, encryption is indeed the best option of all, even if your data is intercepted - an
attacker cannot understand it.
Although FTP traffic is not encrypted by default, which layer 3 protocol would allow for end-to-end
encryption of the connection?
B
Explanation:
https://en.wikipedia.org/wiki/IPsec
Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts
the packets of data to provide secure encrypted communication between two computers over an
Internet Protocol network. It is used in virtual private networks (VPNs).
IPsec includes protocols for establishing mutual authentication between agents at the beginning of a
session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows
between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or
between a security gateway and a host (network-to-host). IPsec uses cryptographic security services
to protect communications over Internet Protocol (IP) networks. It supports network-level peer
authentication, data-origin authentication, data integrity, data confidentiality (encryption), and
replay protection.
The initial IPv4 suite was developed with few security provisions. As a part of the IPv4 enhancement,
IPsec is a layer 3 OSI model or internet layer end-to-end security scheme. In contrast, while some
other Internet security systems in widespread use operate above layer 3, such as Transport Layer
Security (TLS) that operates at the Transport Layer and Secure Shell (SSH) that operates at the
Application layer, IPsec can automatically secure applications at the IP layer.
Incorrect answers:
SFTP
https://en.wikipedia.org/wiki/File_Transfer_Protocol#FTP_over_SSH
FTP over SSH is the practice of tunneling a normal FTP session over a Secure Shell connection.[27]
Because FTP uses multiple TCP connections (unusual for a TCP/IP protocol that is still in use), it is
particularly difficult to tunnel over SSH. With many SSH clients, attempting to set up a tunnel for the
control channel (the initial client-to-server connection on port 21) will protect only that channel;
when data is transferred, the FTP software at either end sets up new TCP connections (data channels)
and thus have no confidentiality or integrity protection.
FTPS
https://en.wikipedia.org/wiki/FTPS
FTPS (also known FTP-SSL, and FTP Secure) is an extension to the commonly used File Transfer
Protocol (FTP) that adds support for the Transport Layer Security (TLS) and, formerly, the Secure
Sockets Layer cryptographic protocols.
SSL
https://en.wikipedia.org/wiki/Transport_Layer_Security
Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are
cryptographic protocols designed to provide communications security over a computer network.
Several versions of the protocols are widely used in applications such as web browsing, email, instant
messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between
their servers and web browsers.
NOTE: All of these protocols are the application layer of the OSI model.
You are the Network Admin, and you get a complaint that some of the websites are no longer
accessible. You try to ping the servers and find them to be reachable. Then you type the IP address
and then you try on the browser, and find it to be accessible. But they are not accessible when you
try using the URL.
What may be the problem?
A
Explanation:
Most likely have an issue with DNS.
DNS stands for “Domain Name System.” It’s a system that lets you connect to websites by matching
human-readable domain names (like example.com) with the server's unique ID where a website is
stored.
Think of the DNS system as the internet’s phonebook. It lists domain names with their corresponding
identifiers called IP addresses, instead of listing people’s names with their phone numbers. When a
user enters a domain name like wpbeginner.com on their device, it looks up the IP address and
connects them to the physical location where that website is stored.
NOTE: Often DNS lookup information will be cached locally inside the querying computer or remotely
in the DNS infrastructure. There are typically 8 steps in a DNS lookup. When DNS information is
cached, steps are skipped from the DNS lookup process, making it quicker. The example below
outlines all 8 steps when nothing is cached.
The 8 steps in a DNS lookup:
1. A user types ‘example.com’ into a web browser, and the query travels into the Internet and is
received by a DNS recursive resolver;
2. The resolver then queries a DNS root nameserver;
3. The root server then responds to the resolver with the address of a Top-Level Domain (TLD) DNS
server (such as .com or .net), which stores the information for its domains. When searching for
example.com, our request is pointed toward the .com TLD;
4. The resolver then requests the .com TLD;
5. The TLD server then responds with the IP address of the domain’s nameserver, example.com;
6. Lastly, the recursive resolver sends a query to the domain’s nameserver;
7. The IP address for example.com is then returned to the resolver from the nameserver;
8. The DNS resolver then responds to the web browser with the IP address of the domain requested
initially;
Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser can
request the web page:
9. The browser makes an HTTP request to the IP address;
10. The server at that IP returns the webpage to be rendered in the browser.
NOTE 2: DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests.
And if this port is blocked, then a problem arises already in the first step. But the ninth step is
performed without problems.
Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN
standards on a linux platform?
A
Explanation:
https://en.wikipedia.org/wiki/Kismet_(software)
Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs.
Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a,
802.11b, 802.11g, and 802.11n traffic.
Incorrect answers:
Nessus
https://en.wikipedia.org/wiki/Nessus_(software)
Nessus is a remote security scanning tool that scans a computer and raises an alert if it discovers any
vulnerabilities that malicious hackers could use to access any computer you have connected to a
network.
Nmap
https://en.wikipedia.org/wiki/Nmap
Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also
known by his pseudonym Fyodor Vaskovich). Nmap is used to discover hosts and services on a
computer network by sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host discovery and
service and operating system detection. These features are extensible by scripts that provide more
advanced service detection, vulnerability detection, and other features. Nmap can adapt to network
conditions including latency and congestion during a scan.
Abel
https://en.wikipedia.org/wiki/Cain_and_Abel_(software)
Cain and Abel (often abbreviated to Cain) was a password recovery tool for Microsoft Windows. It
could recover many kinds of passwords using methods such as network packet sniffing, cracking
various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis
attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the
winrtgen.exe program provided with Cain and Abel.