Intrusion Analysis

Question 1

ngrep purpose, strengths, weakness

Answer 1

Simple packet pattern matcher
Quick Commandline execution
Has no notion of anything but packets

Question 2

ngrep -i

Answer 2

case insenstive

Question 3

ngrep -I

Answer 3

read from pcap file

Question 4

ngrep -x

Answer 4

print out file in hex

Question 5

ngrep -X

Answer 5

treat match expression as hex

Question 6

ngrep examine readable chars in payload

Answer 6

ngrep -I trace.pcap -W byline “”

Question 7

ngrep examine for .exe

Answer 7

ngrep -I trace.pcap -W byline “.exe” -i

Question 8

ngrep for NOPs

Answer 8

ngrep -I trace.pcap -xX “0x909090”

Question 9

Unix Strings + grep

Answer 9

strings trace.pcap | grep “.exe”

Question 10

What is p0f

Answer 10

passive OS fingerprinting

Question 11

p0f pupose, strengths, weakness

Answer 11

Passive OS identification
Command line execution
Easily fooled, OS fingerprints not kept up

Question 12

p0f use to get OS

Answer 12

p0f -s trace.pcap

Question 13

tcpflow purpose, strength, weakness

Answer 13

Display/Store tcp conversations
command line execution
Not as sophisticated as wireshark

Question 14

tcpflow use

Answer 14

tcpflow -C -r http.pcap

Question 15

tcpreplay purpose, strength, weakness

Answer 15

replay captured packets out on network

light weight command line

Question 16

tcpreplay uses

Answer 16

emulate attacker and victim
tests are repeatable
replay at arbitrary speeds
use to test IDS/IPS

Question 17

Chaosreader purpose, strength, weakness

Answer 17

Present application data for some protocols
Good visual analysis of sessions, times, packets, protocols
Not maintained and short on some protocols

Question 18

Netwitness purpose, strength, weakness

Answer 18

Reconstruct session for analysis
Can reconstruct, content search, filtering
commercial and free versions

Question 19

Wireshark purpose, strength, weakness

Answer 19

Capture/view traffic
Free
Handles large pcaps slowly

Question 20

What is pcap ring buffer

Answer 20

Wireshark or Tshark

buckets of defined size rotate in ring defined by time or size before each bucket rotates. Can use HDD or memory

Question 21

Tshark ring buffer switch

Answer 21

-b

Question 22

What is a flow

Answer 22

source IP
source Port
dst IP
dst Port
Protocol
TCP Flags
Total Bytes and Packets
Times

Question 23

Flow terminates when

Answer 23

FIN/RST
Inactivity for 63 seconds (depends on vendor)
Activity more than 30 minutes

Question 24

SiLK tools

Answer 24

rwfilter - converts flow record for use by other tools. Output is not real human readable
rwp2yaf2silk - convert pcap to silk flow

Question 25

What is the result of the following command?

tcpreplay -l 0 0i eth0
file.pcap

Answer 25

play file until Ctrl-C is pressed

Question 26

What is the result of the following command?

ngrep -wi ‘user|pass’
tcp port 25

Answer 26

Wrong - Search for case insensitive exact match of “user|pass” over tcp port 25

Question 27

Which protocol is specified in the following capture filter?

rwfilter sample.silk –proto=17 –fail=stdout | rwcut –f 1-5

Answer 27

UDP

Question 28

Which command will extract TCP flows and pass them to rwstat to show the
top 5 destination ports by number of flows?

Answer 28

rwfilter attack.silk –proto=6 –pass=stdout |rwstats –dport –count=5 –flows

Question 29

Which of the following commands will convert the ‘attack.pcap’ file to
‘attack.silk’?

Answer 29

rwp2yaf2silk –in=attack.pcap –out=/tmp/attack.silk

Question 30

What tool may be used in order to reformat tcpdump pcaps into SiLK data for
analysis?

Answer 30

rwp2yaf2silk

Question 31

Which of the following Ngrep commands will display packets containing ‘GET’
requests for ‘.jpg’ files?

Answer 31

ngrep -i “get.*.jpg”

Question 32

Which SiLK command acts as the primary selection vehicle for processing and
filtering traffic flows?

Answer 32

rwfilter

Question 33

Which protocol is specified in the following capture
filter?

rwfilter sample.silk –proto=1 –fail=stdout | rwcut –f 1-5

Answer 33

icmp

Question 34

Which of the following filters will focus on a source address of 10.0.0.15,
using TCP with a destination port of 25?

Answer 34

rwfilter sample.silk –saddress=10.0.0.15 –proto=6 –dport=25 –pass=stdout | rwcut –f 1-8

Question 35

Which SiLK command acts as the primary selection vehicle for processing and
filtering traffic flows?

Answer 35

rwfilter

Question 36

What built-in feature of Wireshark can be used to help identify and reveal
atypical protocol behaviors?

Answer 36

Expert System

Question 37

Which BPF filter would be used to only capture a SYN packet?

Answer 37

tcp[13]=2

Question 38

Aggregation Tap

Answer 38

Port - Aggregates split traffic before sending to monitor device

Question 39

Span tap

Answer 39

plug into switch span port

Question 40

Regeneration taps

Answer 40

permit multiple monitoring devices to view same traffic

Question 41

Which of the following nmap OS tests is a SYN to a closed port with
options?

Answer 41

T5

Question 42

Which packet crafting tool allows you to create your own python modules for
simulating network traffic?

Answer 42

scapy

Question 43

Which security tool has a ‘decoy’ option and utilizes a scripting engine
written in LUA?

Answer 43

nmap

Question 44

Which of the following nmap OS tests is a Null packet with options to an
open port?

Answer 44

T2

Question 45

Which filter would be used in order to identify SYN segments with a windows
size of less than 256?

Answer 45

tcp[13] = 2 and tcp[14:2] < 256

Question 46

Which of the following is NOT a reason to craft a packet?

To provide workarounds for IP shortcomings
To evade detection by an IDS
To fingerprint a remote operating system
To elicit a response for mapping live hosts

Answer 46

To provide workarounds for IP shortcomings

Question 47

Which of these statements about nmap are NOT true?

Answer 47

???

Question 48

Which of the following filters will filter traffic where there are no TCP
flags, the DF bit is set, and the window size is 128?

Answer 48

‘tcp[13] = 0 and ip[6] & 0x40 =0x40 and tcp[14:2] = 128’

Question 49

What appears to be abnormal with the following packet?

10.1.1.1.43887 > 10.1.1.2.80: Flags [], win 128, options [wscale
10,nop,mss 265, TS val 4294967295 ecr 0, sackOK], length 0

Answer 49

The mss and wscale tcp options should be set only on a segment that has a SYN flag.

Question 50

Which of the tools was NOT designed to have any packet-crafting capabilities

scapy
hping2
nmap
tcpdump

Answer 50

tcpdump

Question 51

One of the tests used by Nmap to do OS fingerprinting is the TCP sequence
ability test (Tseq). What does Tseq do?

It sequentially probes TCP ports 1-65,535 in search of likely entry points in the target.
It observes TCP initial sequence numbers generated by the target’s TCP/IP stack.
It sequences the target’s TCP/IP stack in search of faults to exploit.
It determines whether the target’s TCP/IP stack is configured to process the segments in sequence or in order of arrival.

Answer 51

It observes TCP initial sequence numbers generated by the target’s TCP/IP stack.

Examines TCP sequence # generation, TCP timestamp Option

Question 52

Which of the following techniques does nmap NOT use in operating system
detection?
Sending a UDP packet to a closed port
Examines ICMP error message responses
Sending fragmented TCP packets and monitoring the reply
Setting several TCP options and seeing the order of the reply

Answer 52

Sending fragmented TCP packets and monitoring the reply

Question 53

Which nmap file contains expected responses for various different operating
systems?

Answer 53

nmap-os-db

Question 54

What header fields are mostly used for OS fingerprinting with nmap, in
IPv6?

Answer 54

IP

Question 55

What is one advantage of the IP checksum scheme?
Its computational simplicity allows for speedy calculation.
It uses only eight bits, in order to cut overhead.
Its robust design protects against all possible errors.
The IP header cannot be spoofed, since the checksum protects against it.

Answer 55

Its computational simplicity allows for speedy calculation.

Question 56

What is an evasion attack?

Answer 56

Sending packets that bypass the NIDS’ filters but that the target host accepts.

Question 57

What is the tool ‘Nikto’ used to do?

Answer 57

Evades a NIDS by obfuscating strings and does an application-layer attack on a web server.

Question 58

What is the purpose of the UDP pseudo-header?

Answer 58

The IP header data stored in the UDP pseudo-header mitigates the risk of a packet being delivered to the wrong host or protocol stack.

Question 59

What are the IP and protocol checksums in the following datagram?

4500 0026 8acc 0000 0111 76af c0a8 0102
c0a8 0103 8acb 829b 0012 1797 0101 2edb
7439 756a 0900 0457 0015 3f9f 2328 0000

Answer 59

IP: 0x76af and UDP: 0x1797

Question 60

If a packet is passing through a router and the router puts the first two
octets of the source IP in the first two octets of destination IP field, and
the router puts the first two octets of the destination IP in the first two
octets of the source IP field, what will happen to the packet?

Answer 60

The packet corruption will be undetected and delivery will be attempted by the next router in the path.

Question 61

How do the IP and TCP checksums differ conceptually?

Answer 61

The IP checksum protects the integrity of the IP header; the TCP checksum protects the TCP header and the TCP data.