04 Sniffing and Evasion Flashcards

1
Q
  1. Given the following Wireshark filter, what is the attacker attempting to view?
    ((tcp.flags == 0x02) || (tcp.flags == 0x12) ) ||
    ((tcp.flags == 0x10) && (tcp.ack==1) && (tcp.len==0) )
    A. SYN, SYN/ACK, ACK
    B. SYN, FIN, URG, and PSH
    C. ACK, ACK, SYN, URG
    D. SYN/ACK only
A

A. You’ll see bunches of Wireshark questions on your exam—it’s probably the subject EC-Council loves the most regarding this chapter—and syntax will be the key to answering all of them. For this particular question subject, remember Wireshark has the ability to filter based on a hexadecimal numbering system assigned to TCP flags. The assigned flag hex numbers are FIN = 1, SYN = 2, RST = 4, PSH = 8, ACK = 16, and URG = 32. Putting these hex numbers together (for example, SYN + ACK = 12) allows you to simplify a Wireshark filter. For example, tcp.flags == 0x2 looks for SYN packets, tcp.flags == 0x16 looks for ACK packets, and tcp.flags == 0x12 looks for both (the attacker here will see all SYN packets, all SYN/ACK packets, and all ACK packets). In this example, the decimal numbers were used, just not in a simplified manner.
As far as the rest of Wireshark filtering syntax goes, there are a couple key points to remember. First, be sure to remember it uses double “equals” signs (==) in the expression (ip.addr = 10.10.10.0/24 won’t work, but ip addr == 10.10.10.0/24 will). Next, know the difference between the definitions for “and” and “or.” An “and” in the filter means both expressions will be queried and displayed, but only if both are true. (In other words, “Show me all packets containing this source address and headed toward this destination IP. If it’s from this source but going somewhere else, ignore it. If it’s headed to this destination but is not from this source, ignore it.”) An “or” in the filter means either of the expressions can be true (that is, “Show me all packets containing this source address and any packets going to this destination IP, no matter the destination or source address, respectively, for the two”).
B, C, and D are incorrect because these do not match the decimal numbers provided in the capture (2 for SYN, 18 for SYN/ACK, and 16 for ACK).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. A target machine (with a MAC of 12:34:56:AB:CD:EF) is connected to a switch port. An attacker (with a MAC of 78:91:00:ED:BC:A1) is attached to a separate port on the same switch with a packet capture running. There is no spanning of ports or port security in place. Two packets leave the target machine. Message 1 has a destination MAC of E1:22:BA:87:AC:12. Message 2 has a destination MAC of FF:FF:FF:FF:FF:FF. Which of the following statements is true regarding the messages being sent?
    A. The attacker will see message 1.
    B. The attacker will see message 2.
    C. The attacker will see both messages.
    D. The attacker will see neither message.
A

B. This question is all about how a switch works, with a little MAC knowledge thrown in. Remember that switches are designed to filter unicast messages but to flood multicast and broadcast messages (filtering goes to only one port, whereas flooding sends to all). Broadcast MAC addresses in the frame are easy to spot—they’re always all Fs, indicating all 48 bits turned on in the address. In this case, message 1 is a unicast address and went off to its destination, whereas message 2 is clearly a broadcast message, which the switch will gladly flood to all ports, including the attacker’s.
Other versions of this same question will center on the efforts an attacker can use to see that packet. Should the attacker desire to see all messages, a MAC flood could turn the switch into a hub, effectively flooding all packets to all ports. Another option is to span a port (break into the configuration of the switch and tell it to send all traffic destined for a specific port to that port and to the attacker’s). Lastly, port stealing (a totally fun memorization term from EC-Council) allows an attacker to take advantage of the race condition (where the switch is constantly updating MAC address bindings for ports) during a MAC flood attempt to effectively steal a port and sniff all traffic aimed for the target machine.
A is incorrect because the unicast destination MAC does not match the attacker’s machine. When the frame is read by the switch and compared to the internal address list (CAM table), it will be filtered and sent to the appropriate destination port.
C is incorrect because the switch will not flood both messages to the attacker’s port—it floods only broadcast and multicast.
D is incorrect because the broadcast address will definitely be seen by the attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. You have tapped into a network subnet of your target organization. You begin an attack by learning all significant MAC addresses on the subnet. After some time, you decide to intercept messages between two hosts. You send broadcast messages to Host A showing your MAC address as belonging to Host B. What is being accomplished here?
    A. ARP poisoning to allow you to see all messages from either host without interrupting their communications process
    B. ARP poisoning to allow you to see messages from Host A to Host B
    C. ARP poisoning to allow you to see messages from Host B to Host A
    D. ARP poisoning to allow you to see messages from Host A destined to any address
    E. ARP poisoning to allow you to see messages from Host B destined to any address
A

B. ARP poisoning is a relatively simple way to place yourself as the “man in the middle” and spy on traffic (by the way, be careful with the term man in the middle because it usually refers to a position where you are not interrupting traffic). The ARP cache is updated whenever your machine does a name lookup or when ARP (a broadcast protocol) receives an unsolicited message advertising a MAC-to-IP match. In this example, you’ve told Host A that you hold the MAC address for Host B. Host A will update its cache, and when a message is being crafted by the OS, it will happily put the spoofed address in its place. Just remember that ARP poisoning is oftentimes noisy and may be easy to discover if port security is enabled: depending on implementation, the port will lock (or amber in nerd terminology) when an incorrect MAC tries to use it or when multiple broadcasts claiming different MACs are seen. Additionally, watch out for denial-of-service side effects of attempting ARP poisoning—you may well bring down a target without even trying to, not to mention Host B is eventually going to find out it’s not receiving anything from Host A. As a side note, detection of ARP poisoning can be done with a tool called xARP (www.chrismc.de).
A is incorrect for a couple reasons. First, you won’t receive messages from each host addressed to anywhere in the world—you’ll only receive messages addressed from Host A to Host B. Second, the communications flow between the two hosts will be affected by this. As a matter of fact, Host A can never talk to Host B: the ARP poisoning has all messages going to you, the hacker.
C is incorrect because you didn’t poison Host B’s cache—Host A was the target.
D is incorrect because you didn’t poison Host A’s mapping to the default gateway or anything like that—you will only receive messages intended for Host B.
E is incorrect because you did not poison Host B at all.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Your target subnet is protected by a firewalled DMZ. Reconnaissance shows the external firewall passes some traffic from external to internal, but blocks most communications. HTTP traffic to a web server in the DMZ, which answers to www.somebiz.com, is allowed, along with standard traffic such as DNS queries. Which of the following may provide a method to evade the firewall’s protection?
    A. An ACK scan
    B. Firewalking
    C. False positive flooding
    D. TCP over DNS
A

D. Of the choices provided, TCP over DNS is the only one that makes any sense. TCP over DNS is exactly what it sounds like—sending TCP traffic that would otherwise use a different port number in packets using port 53. Because the firewall usually allows DNS requests to pass, hiding traffic under port 53 is convenient and fairly easy. The whole thing does require a special DNS server and DNS client setup, but the steps to pull it off aren’t rocket science. While TCP over DNS will allow you to evade the firewall and send traffic internally, it will not provide you instant access to machines or anything like that—it simply allows you to send traffic unnoticed through a firewall. TCP over DNS tools include Iodine (http://code.kryo.se/iodine/), DNS Tunnel (http://dnstunnel.de), and Netcross (https://sourceforge.net/projects/netcross).
Another very common option for passing traffic through a firewall is HTTP tunneling. The same principle applies, except in HTTP tunneling you abuse port 80 instead of port 53. HTTP tunneling tools include httPort (www.targeted.org), SuperNetwork Tunnel (networktunnel.net), and httP-Tunnel (www.http-tunnel.com).
A is incorrect because an ACK scan does nothing to hide traffic or evade the firewall. The scan itself would be loud and noisy, and it would not affect the firewall at all.
B is incorrect because firewalking is a great technique to discover which ports are open (that is, which ports the firewall is allowing to pass) and which are closed. However, it does nothing to hide traffic or evade any suspicion.
C is incorrect because while false positive flooding does provide good “cover fire” for an attacker in an IDS, it does nothing to affect the firewall in any way—traffic to other ports will be blocked because that’s just what a firewall does.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Which of the following is the best choice in setting an NIDS tap?
    A. Connect directly to a server inside the DMZ.
    B. Connect directly to a server in the intranet.
    C. Connect to a SPAN port on a switch.
    D. Connect to the console port of a router.
  2. You have a large packet capture file in Wireshark to review
A

C. A network intrusion detection system (NIDS) only works well if it can see all the network traffic, and placement obviously makes a huge difference. One common implementation is to connect via a SPAN (Switched Port Analyzer) port on a switch. The configuration for a SPAN port ensures all traffic from a defined range of ports is also sent to the SPAN port. This makes the best option for your NIDS tap, at least as far as this question goes: in the real world, you would most likely set up a passive tap, positioned in the correct location to see everything coming across the wire.
A is incorrect because connecting directly to a single server would give you only the traffic sent to that server (or that server’s subnet, provided the server is watching promiscuously and is configured appropriately). In this case, the DMZ’s traffic is all you’d see.
B is incorrect because connecting directly to a single server would give you only the traffic sent to that server (or that server’s subnet, provided the server is watching promiscuously and is configured appropriately). In this case, the intranet’s traffic is all you’d see.
D is incorrect because connecting to the console port on a router would provide access to no traffic at all. The console port on the router is used specifically for configuration and management of the router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. You have a large packet capture file in Wireshark to review. You want to filter traffic to show all packets with an IP address of 192.168.22.5 that contain the string HR_admin. Which of the following filters would accomplish this task?
    A. ip.addr==192.168.22.5 &&tcp contains HR_admin
    B. ip.addr 192.168.22.5 && “HR_admin”
    C. ip.addr 192.168.22.5 &&tcp string ==HR_admin
    D. ip.addr==192.168.22.5 + tcp contains tide
A

A. This is a perfect example of a typical question on your exam regarding Wireshark syntax. Answer A is the only one that sticks to Wireshark filter syntax. Definitely know the ip.addr, ip.src, and ip.dst filters; the “tcp contains” filter is another favorite of test question writers. When you combine filters in one search, use the && designator, and don’t forget the use of double equals signs. Another fun version of this same question involves reading the output from Wireshark. A tool that can help you out with the raw files—including output from other tools like tcpdump—is tcptrace (www.tcptrace.org/).
B, C, and D are all incorrect because the syntax is wrong for Wireshark filters. As an aside, a great way to learn the syntax of these filters is to use the expression builder directly beside the filter entry box. It’s self-explanatory and contains thousands of possible expression builds.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. Which of the following techniques can be used to gather information from a fully switched network or to disable some of the traffic isolation features of a switch? (Choose two.)
    A. DHCP starvation
    B. MAC flooding
    C. Promiscuous mode
    D. ARP spoofing
A

B, D. Switches filter all traffic—unless you tell them otherwise, make them behave differently, or the traffic is broadcast or multicast. If you can gain administrative access to the IOS, you can tell it to behave otherwise by configuring a span port (which sends copies of messages from all ports to yours). Legitimate span ports are designed for things such as a network IDS. To make the switch behave differently (at least on older switches, because newer ones don’t allow this much anymore), send more MAC addresses to the switch than it can handle. This fills the CAM and turns the switch, effectively, into a hub (sometimes called a fail open state). Using a tool such as MacOF or Yersinia, you can send thousands and thousands of fake MAC addresses to the switch’s CAM table. ARP spoofing doesn’t really involve the switch much at all—it continues to act and filter traffic just as it was designed to do. The only difference is you’ve lied to it by faking a MAC address on a connected port. The poor switch, believing those happy little ARP messages, will forward all packets destined for that MAC address to you instead of the intended recipient. How fun!
A is incorrect because DHCP starvation is a form of a DoS attack, where the attacker “steals” all the available IP addresses from the DHCP server, which prevents legitimate users from connecting.
C is incorrect because the term promiscuous applies to the way a NIC processes messages. Instead of tossing aside all messages that are not addressed specifically for the machine (or broadcast/multicast), promiscuous mode says, “Bring ’em all in so we can take a look at them using our handy sniffing application.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. Which of the following statements is true regarding the discovery of sniffers on a network?
    A. To discover the sniffer, ping all addresses and examine the latency in responses.
    B. To discover the sniffer, send ARP messages to all systems and watch for NOARP responses.
    C. To discover the sniffer, configure the IDS to watch for NICs in promiscuous mode.
    D. It is almost impossible to discover the sniffer on the network.
A

D. This question is more about active versus passive sniffing than anything else. I’m not saying it’s impossible, because almost nothing is, but discovering a passive sniffer on your network is very difficult. When a NIC is set to promiscuous mode, it just blindly accepts any packet coming by and sends it up the layers for further processing (which is what allows Wireshark and other sniffers to analyze the traffic). Because sniffers are sitting there pulling traffic and not sending anything in order to get it, they’re difficult to detect. Active sniffing is another thing altogether. If a machine is ARP spoofing or MAC flooding in order to pull off sniffing, it’s much easier to spot it.
A is incorrect because the premise is absolutely silly. Thousands of things can affect latency in response to a ping, but running a sniffer on the box isn’t necessarily one of them, nor is latency an indicator of one being present.
B is incorrect because NOARP is a Linux kernel module that filters and drops unwanted ARP requests. It’s not a response packet we can discover sniffers with.
C is incorrect because it’s impossible to watch for NICs in promiscuous mode. The NIC is simply doing the same job every other NIC is doing—it’s sitting there pulling traffic. The network IDS wouldn’t know, or care, about it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Which of the following could provide a useful defense against ARP spoofing? (Choose all that apply.)
    A. Using ARPWALL
    B. Setting all NICs to promiscuous mode
    C. Using private VLANs
    D. Using static ARP entries
A

A, C, D. ARPWALL is an application available for download from SourceForge (http://sourceforge.net/projects/arpwall/). It gives an early warning when an ARP attack occurs and simply blocks the connection. Virtual LANs (VLANs) provide a means to create multiple broadcast domains within a single network. Machines on the same switch are in different networks, and their traffic is isolated. Since ARP works on broadcast, this can help prevent large-scale ARP spoofing. Per courseware, static ARP entries are a good idea and at least one way to fix ARP poisoning, since no matter what is banging around out on the network, the system uses the static mapping you configured. An IDS may also be helpful in spotting ARP shenanigans, but it wouldn’t necessarily do anything about them.
B is incorrect because setting NICs to promiscuous mode wouldn’t do a thing to prevent a broadcast message (ARP) from being received.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Examine the following Snort rule:
    alerttcp !$HOME_NET any -> $HOME_NET 23 (content:
    “admin”;msg:”Telnet attempt..admin access”;)
    Which of the following statements are true regarding the rule? (Choose all that apply.)
    A. This rule will alert on packets coming from the designated home network.
    B. This rule will alert on packets coming from outside the designated home address.
    C. This rule will alert on packets designated for any port, from port 23, containing the “admin” string.
    D. This rule will alert on packets designated on port 23, from any port, containing the “admin” string.
A

B, D. Snort rules, logs, entries, and configuration files will definitely be part of your exam. This particular rule takes into account a lot of things you’ll see. First, note the exclamation mark (!) just before the HOME_NET variable. Any time you see this, it indicates the opposite of the following variable—in this case, any packet from an address not in the home network and using any source port number, intended for any address that is within the home network. Following that variable is a spot for a port number, and the word any indicates we don’t care what the source port is. Next, we spell out the destination information: anything in the home network and destined for port 23. Finally, we add one more little search before spelling out the message we want to receive: the “content” designator allows us to spell out strings we’re looking for.
A and C are incorrect because these statements are polar opposite to what the rule is stating.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. You want to begin sniffing, and you have a Windows laptop. You download and install Wireshark but quickly discover your NIC needs to be in promiscuous mode. What allows you to put your NIC into promiscuous mode?
    A. Installing lmpcap
    B. Installing npcap
    C. Installing WinPcap
    D. Installing libPcap
    E. Manipulating the NIC properties through Control Panel | Network and Internet | Change Adapter Settings
A

C. To understand this, you have to know how a NIC is designed to work. The NIC “sees” lots of traffic but pulls in only the traffic it knows belongs to you. It does this by comparing the MAC address of each frame against its own: if they match, it pulls the frame in and works on it; if they don’t match, the frame is ignored. If you plug a sniffer into a NIC that looks only at traffic designated for the machine you’re on, you’ve kind of missed the point, wouldn’t you say? Promiscuous mode tells the NIC to pull in everything. This allows you to see all those packets moving to and fro inside your collision domain. WinPcap is a library that allows NICs on Windows machines to operate in promiscuous mode.
A is incorrect because lmpcap does not exist.
B is incorrect because npcap does not exist.
D is incorrect because libPcap is used on Linux machines for the same purpose—putting cards into promiscuous mode.
E is incorrect because accessing the Change Adapter Settings window does not allow you to put the card into promiscuous mode—you still need WinPcap for this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. A network and security administrator installs an NIDS. After a few weeks, a successful intrusion into the network occurs and a check of the NIDS during the timeframe of the attack shows no alerts. An investigation shows the NIDS was not configured correctly and therefore did not trigger on what should have been attack alert signatures. Which of the following best describes the actions of the NIDS?
    A. False positives
    B. False negatives
    C. True positives
    D. True negatives
A

B. When it comes to alerting systems, false negatives are much more concerning than false positives. A false negative occurs when traffic and circumstances are in place for an attack signature, but the IDS does not trigger an alert. In other words, if your system is firing a lot of false negatives, the security staff may feel like they’re secure when, in reality, they’re really under a successful attack. Keep in mind a false negative is different from your IDS simply not seeing the traffic. For example, if you tell your IDS to send an alert for Telnet traffic and it simply didn’t see those packets (for whatever reason), that may be a false negative for exam purposes but in the real world is probably more of a configuration issue. A better example of a false negative in the real world would be for the attacker to encrypt a portion of a payload so that the IDS doesn’t recognize it as suspicious. In other words, the IDS sees the traffic, but it just doesn’t recognize anything bad about it.
A is incorrect because false positives occur when legitimate traffic is alerted on as if something was wrong with it. Keeping false positives to a minimum is a concern when choosing and configuring an IDS.
C and D are incorrect because these are not legitimate terms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. A pen test member has gained access to an open switch port. He configures his NIC for promiscuous mode and sets up a sniffer, plugging his laptop directly into the switch port. He watches traffic as it arrives at the system, looking for specific information to possibly use later. What type of sniffing is being practiced?
    A. Active
    B. Promiscuous
    C. Blind
    D. Passive
    E. Session
A

D. This is one of those weird CEH definitions that drive us all crazy on the exam. Knowing the definition of passive versus active isn’t really going to make you a better pen tester, but it may save you a question on the test. When it comes to sniffing, if you are not injecting packets into the stream, it’s a passive exercise. Tools such as Wireshark are passive in nature. A tool such as Ettercap, though, has built-in features to trick switches into sending all traffic its way, and other sniffing hilarity. This type of sniffing, where you use packet interjection to force a response, is active in nature. As a quick aside here, for you real-world preppers out there, true passive sniffing with a laptop is pretty difficult to pull off. As soon as you attach a Windows machine, it’ll start broadcasting all kinds of stuff (ARP and so on), which is, technically, putting packets on the wire. The real point is that passive sniffing is a mindset where you are not intentionally putting packets on a wire.
A is incorrect because in the example given, no packet injection is being performed. The pen tester is simply hooking up a sniffer and watching what comes by. The only way this can be more passive is if he has a hammock nearby.
B is incorrect because the term promiscuous is not a sniffing type. Instead, it refers to the NIC’s ability to pull in frames that are not addressed specifically for it.
C is incorrect because the term blind is not a sniffing type. This is included as a distractor.
E is incorrect because the term session is not a sniffing type. This is included as a distractor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. Which of the following are the best preventive measures to take against DHCP starvation attacks? (Choose two.)
    A. Block all UDP port 67 and 68 traffic.
    B. Enable DHCP snooping on the switch.
    C. Use port security on the switch.
    D. Configure DHCP filters on the switch.
A

B, C. DHCP starvation is a denial-of-service attack EC-Council somehow slipped into the sniffing section. The attack is pretty straightforward: the attacker requests all available DHCP addresses from the server, so legitimate users cannot pull an address and connect or communicate with the network subnet. DHCP snooping on a Cisco switch (using the ip dhcp snooping command) creates a whitelist of machines that are allowed to pull a DHCP address. Anything attempting otherwise can be filtered. Port security, while not necessarily directly related to the attack, can be a means of defense as well. By limiting the number of MACs associated with a port, as well as whitelisting which specific MACs can address it, you could certainly reduce an attacker’s ability to drain all DHCP addresses.
As a side note, you may also see a question relating to how DHCP works in the first place. An easy way to remember it all is with the acronym DORA: Discover, Offer, Request, and Acknowledge. Additionally, packets in DHCPv6 have different names than those of DHCPv4. DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, and DHCPACK are known as Solicit, Advertise, Request (or Confirm/Renew), and Reply, respectively.
A is incorrect because blocking all UDP 67 and 68 traffic would render the entire DHCP system moot because no one could pull an address.
D is incorrect because DHCP filtering is done on the server and not the switch. DHCP filtering involves configuring the whitelist on the server itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Which of the following tools is the best choice to assist in evading an IDS?
    A. Nessus
    B. Nikto
    C. Libwhisker
    D. Snort
A

C. It’s a hallmark of EC-Council certification exams to have a few off-the-wall, tool-specific questions, and this is a great example. Libwhisker (https://sourceforge.net/projects/whisker/) is a full-featured Perl library used for a number of things, including httP-related functions, vulnerability scanning, exploitation, and IDS evasion. In fact, some scanners actually use libwhisker for session splicing in order to scan without being seen.
A is incorrect because Nessus is a vulnerability scanner and, on its own, is not designed to evade IDS detection.
B is incorrect because Nikto, like Nessus, is a vulnerability scanner and, on its own, is not designed to evade IDS detection.
D is incorrect because Snort is an IDS itself. Snort is also a perfectly acceptable sniffer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. An attacker somehow manages to connect a rogue switch onto an enterprise network segment. He configures the switch with a priority lower than any other on the network. Assuming this attempt is successful, which of the following statements is true?
    A. The rogue switch will cause broadcast loops and eventually DoS the segment.
    B. The rogue switch will become the root bridge, allowing the attacker to sniff network traffic.
    C. DHCP will no longer function on the segment.
    D. None of the above.
A

B. Let’s address the obvious up front: if your security is so weak someone can simply walk into your offices and connect a switch—a switch—to your network without anyone noticing, you have no security. OK, that said, let’s address the question’s intent. EC-Council defines a “new” type of sniffing attack called an STP attack. STP is a protocol used by switches to prevent broadcast loops within a segment. Basically, the switches talk to one another and figure out which device has the lowest priority (and in STP, the lowest number indicates the highest priority). This switch becomes the root bridge, and broadcast storms are checked.
The idea here is the attacker uses STP to his advantage by forcing the rogue device to become the bridge and setting its priority to zero, which helps in sniffing traffic across multiple switches.
A is incorrect because STP is designed specifically to prevent these storms, and adding another device—even a rogue one—wouldn’t change that.
C is incorrect because this action would have no effect whatsoever on DHCP.
D is incorrect because there is a correct answer provided.

17
Q
  1. Your IDS sits on the network perimeter and has been analyzing traffic for a couple of weeks. On arrival one morning, you find the IDS has alerted on a spike in network traffic late the previous evening. Which type of IDS are you using?
    A. Stateful
    B. Snort
    C. Passive
    D. Signature based
    E. Anomaly based
A

E. The scenario described here is precisely what an anomaly- or behavior-based system is designed for. The system watches traffic and, over time, develops an idea of what “normal” traffic looks like—everything from source and destinations, ports in use, and times of higher data flows. In one sense, it’s better than a plain signature-based system because it can find things heuristically based on behavior; however, anomaly-based systems are notorious for the number of false positives they spin off—especially early on.
A is incorrect because stateful refers to a firewall type, not an IDS.
B is incorrect because Snort is a signature-based IDS.
C is incorrect because the term passive isn’t associated with IDS. Now, an IDS can react to an alert by taking action to stop or prevent an attack, but this is referred to as an intrusion prevention system (IPS), not active or passive.
D is incorrect because a signature-based IDS isn’t going to care about the amount of traffic going by, or what time it occurs. A signature-based IDS simply compares each packet against a list (signature file) you configure it to look at. If nothing matches in the signature file, then no action is taken.

18
Q
  1. You are performing an ACK scan against a target subnet. You previously verified connectivity to several hosts within the subnet but want to verify all live hosts on the subnet. Your scan, however, is not receiving any replies. Which type of firewall is most likely in use at your location?
    A. Packet filtering
    B. IPS
    C. Stateful
    D. Active
A

C. Most people think of a firewall as a simple packet filter, examining packets as they are coming in against an access list—if the port is allowed, let the packet through. However, the stateful inspection firewall has the ability to examine the session details regarding the packet and make a determination on its state. For a common (dare I say, textbook) example, if a stateful firewall receives an ACK packet, it’s smart enough to know whether there is an associated SYN packet that originated from inside the network to go along with it. If there isn’t—that is, if communications did not start from inside the subnet—it’ll drop the packet.
A is incorrect because a packet-filtering firewall wouldn’t bother with the flags. It would be concerned about what port the packet was headed to. If, for instance, you host a web page out of that subnet but not an FTP server, your firewall should be set up to allow port 80 in but not port 21.
B is incorrect because an intrusion prevention system (IPS) isn’t a firewall at all. It’s a network-monitoring solution that has the capability of recognizing malicious traffic and taking action to prevent or stop the attack.
D is incorrect because the term active is not associated with a firewall type. This is included as a distractor.

19
Q
  1. You are separated from your target subnet by a firewall. The firewall is correctly configured and allows requests only to ports opened by the administrator. In firewalking the device, you find that port 80 is open. Which technique could you employ to send data and commands to or from the target system?
    A. Encrypt the data to hide it from the firewall.
    B. Use session splicing.
    C. Use MAC flooding.
    D. Use HTTP tunneling.
A

D. HTTP tunneling is a successful “hacking” technique. (Microsoft makes use of HTTP tunneling for lots of things, and it has been doing so for years.) The tactic is fairly simple: because port 80 is almost never filtered by a firewall, you can craft port 80 segments to carry a payload for protocols the firewall may have otherwise blocked. Of course, you’ll need something on the other end to pull the payload out of all those port 80 packets that IIS is desperately wanting to answer, but that’s not altogether difficult.
A is incorrect because encryption won’t do a thing for you here. The firewall isn’t looking necessarily at content/payload—it’s looking at the packet/frame header and port information. Encryption is a good choice to get around an IDS, not a firewall.
B is incorrect because session splicing is a technique for evading an IDS, not a firewall. Again, the firewall is interested in the packet and frame header, not what fragments of code you’ve hidden in the payload.
C is incorrect because MAC flooding is a technique for sniffing switches. The idea is to fill the CAM table to the brim with thousands of useless MAC addresses. This effectively turns the switch into a hub, because it is too confused to filter and just begins flooding all traffic to all ports.

20
Q
  1. Which of the following tools can be used to extract Application layer data from TCP connections captured in a log file into separate files?
    A. Snort
    B. Netcat
    C. TCPflow
    D. Tcpdump
A

C. Per its GitHub page (https://github.com/simsong/tcpflow/wiki/tcpflow-%E2%80%94-A-tcp-ip-session-reassembler), TCPflow is “a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored ‘tcpdump’ packet flows…. tcpflow is similar to ‘tcpdump,’ in that both process packets from the wire or from a stored file. But it’s different in that it reconstructs the actual data streams and stores each flow in a separate file for later analysis.”
A is incorrect because Snort is a great IDS, sniffer, and packet logger, but it isn’t so great at separating TCP streams for Application layer analysis.
B is incorrect because netcat (the “Swiss Army knife of hacking,” as it’s called) isn’t designed for sniffing and packet analysis.
D is incorrect because tcpdump will certainly pull everything for you, but it does not reconstruct the actual data streams or store each flow in a separate file for later analysis.

21
Q
  1. Examine the Wireshark filter shown here:
    ip.src == 192.168.1.1 &&tcp.srcport == 80
    Which of the following correctly describes the capture filter?
    A. The results will display all traffic from 192.168.1.1 destined for port 80.
    B. The results will display all HTTP traffic to 192.168.1.1.
    C. The results will display all HTTP traffic from 192.168.1.1.
    D. No results will display because of invalid syntax.
A

C. Wireshark filters will be covered quite a bit on your exam, and, as stated earlier, these are easy questions for you. The preceding syntax designates the source IP and combines it with a source TCP port. This is effectively looking at answers to port 80 requests by 192.168.1.1. As another important study tip, watch for the period (.) between “ip” and “src” on the exam because they’ll drop it or change it to a dash (-) to trick you. And lastly, for real-world application, it’s important to note that Wireshark considers certain friendly terms such as HTTP as simple placeholders for the actual port. This means in Wireshark (at least as far as CEH is concerned), HTTP and 80 are more or less identical. As a budding ethical hacker, you should know by now that just because something is traveling on port 80 doesn’t mean it’s HTTP traffic.
A is incorrect because port 80 is defined as the source port, not the destination; 192.168.1.1 is answering a request for an HTML page.
B is incorrect because 192.168.1.1 is defined as the source address, not the destination.
D is incorrect because the syntax is indeed correct.

22
Q
  1. You need to put the NIC into listening mode on your Linux box, capture packets, and write the results to a log file named my.log. How do you accomplish this with tcpdump?
    A. tcpdump -i eth0 -w my.log
    B. tcpdump -l eth0 -c my.log
    C. tcpdump /i eth0 /w my.log
    D. tcpdump /l eth0 /c my.log
A

A. Tcpdump syntax is simple: tcpdump flag(s) interface. The -i flag specifies the interface (in this example, eth0) for tcpdump to listen on, and the -w flag defines where you want your packet log to go. For your own study, be aware that many study references—including EC-Council’s official reference books—state that the -i flag “puts the interface into listening mode.” It doesn’t actually modify the interface at all, so this is a little bit of a misnomer—it just identifies to tcpdump which interface to listen on for traffic. Also, be aware that the -w flag dumps traffic in binary format. If you want the traffic to be readable, you’ll need to have it display onscreen. Better yet, you can dump it to a file using the | designator and a filename.
B is incorrect because the -l flag does not put the interface in listening mode; it actually has to do with line buffering.
C and D are incorrect for the same reason; flags are designated with a dash (-), not a slash (/).

23
Q
  1. Which of the following tools can assist with IDS evasion? (Choose all that apply.)
    A. Whisker
    B. Fragroute
    C. Capsa
    D. Wireshark
    E. ADMmutate
    F. Inundator
A

A, B, E, F. IDS evasion comes down to a few methods: encryption, flooding, and fragmentation (session splicing). Whisker is an HTTP scanning tool, but it also has the ability to craft session-splicing fragments. Fragroute intercepts, modifies, and rewrites egress traffic destined for the specified host and can be used to fragment an attack payload over multiple packets. ADMmutate can create multiple scripts that won’t be easily recognizable by signature files, and Inundator is a flooding tool that can help you hide in the cover fire.
C and D are incorrect because both Capsa (Colasoft) and Wireshark are sniffers.

24
Q
  1. A security administrator is attempting to “lock down” her network and blocks access from internal to external on all external firewall ports except for TCP 80 and TCP 443. An internal user wants to make use of other protocols to access services on remote systems (FTP, as well as some nonstandard port numbers). Which of the following is the most likely choice the user could attempt to communicate with the remote systems over the protocol of her choice?
    A. Use HTTP tunneling.
    B. Send all traffic over UDP instead of TCP.
    C. Crack the firewall and open the ports required for communication.
    D. MAC flood the switch connected to the firewall.
A

A. If you happen to own CEH Certified Ethical Hacker All-in-One Exam Guide, Fifth Edition, the companion book to this practice exams tome, you’re undoubtedly aware by now I harp on protocols not necessarily being tied to a given port number in the real world. Sure, FTP is supposed to be on TCP port 21, SMTP is supposed to ride on 25, and Telnet is supposed to be on 23, but the dirty little truth is they don’t have to. An HTTP tunnel is a brilliant example of this. To the firewall and everyone else watching, traffic from your machine is riding harmless little old port 80—nothing to see here folks, just plain-old, regular HTTP traffic. But a peek inside that harmless little tunnel shows you can run anything you want. Typically, you connect to an external server over port 80, and it will unwrap and forward your other protocol traffic for you, once you’ve gotten it past your pesky firewall.
B is incorrect because, well, this is just a ridiculous answer. UDP ports are filtered by a firewall just like TCP ports, so sending only UDP would be useless.
C is incorrect because, while it would certainly allow the communication, it wouldn’t be for very long. Every sensor on the network would be screaming, and the happy little security admin would lock it back down ASAP. Not to mention, the user would get fired.
D is incorrect because MAC flooding refers to active sniffing on a switch, not bypassing a firewall.

25
Q
  1. An ethical hacker is assigned to scan a server and wants to avoid IDS detection. She uses a tactic wherein the TCP header is split into many packets, making it difficult to detect what the packets are intended for. Which of the following best describes the technique employed?
    A. TCP scanning
    B. IP fragment scanning
    C. ACK scanning
    D. Inverse TCP scanning
A

B. There are several methods to attempt evasion of an IDS, and an IP fragmentation scan is but one of them. It works by splitting the original TCP header into multiple, smaller packets. Each of those smaller packets, on its own, means a whole lot of nothing to the IDS, but when reassembled at the destination can, for example, scan traffic (which is this case here). This is not to say it’s always going to work—almost nothing is foolproof—but I can almost guarantee you’ll see this particular evasion technique on your exam somewhere.
A, C, and D are all incorrect for the same reason: the type of scan being used has nothing to do with the evasion method asked about in the question. The evasion method of splitting the headers into fragmented packets can be used regardless of scan type.