Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CEH Practical Exams > PE 4 - Sniffing and Evasion > Flashcards

PE 4 - Sniffing and Evasion Flashcards

1
Q

Given the following Wireshark filter, what is the attacker attempting to view?

A. SYN, SYN/ACK, ACK

B. SYN, FIN, URG, and PSH

C. ACK, ACK, SYN, URG

D. SYN/ACK only

A

A. SYN, SYN/ACK, ACK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A target machine (with a MAC of 12:34:56:AB:CD:EF) is connected to a switch port. An attacker (with a MAC of 78:91:00:ED:BC:A1) is attached to a separate port on the same switch with a packet capture running. There is no spanning of ports or port security in place. Two packets leave the target machine. Message 1 has a destination MAC of E1:22:BA:87:AC:12. Message 2 has a destination MAC of FF:FF:FF:FF:FF:FF. Which of the following statements is true regarding the messages being sent?

A. The attacker will see message 1.

B. The attacker will see message 2.

C. The attacker will see both messages.

D. The attacker will see neither message.

A

B. The attacker will see message 2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You have successfully tapped into a network subnet of your target organization. You begin an attack by learning all significant MAC addresses on the subnet. After some time, you decide to intercept messages between two hosts. You begin by sending broadcast messages to Host A showing your MAC address as belonging to Host B. Simultaneously, you send messages to Host B showing your MAC address as belonging to Host A. What is being accomplished here?

A. ARP poisoning to allow you to see all messages from either host without interrupting their communications process

B. ARP poisoning to allow you to see messages from Host A to Host B

C. ARP poisoning to allow you to see messages from Host B to Host A

D. ARP poisoning to allow you to see messages from Host A destined to any address

A

B. ARP poisoning to allow you to see messages from Host A to Host B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Your target subnet is protected by a firewalled DMZ. Reconnaissance shows the external firewall passes some traffic from external to internal, but blocks most communications. HTTP traffic to a web server in the DMZ, which answers to www.somebiz.com, is allowed, along with standard traffic such as DNS queries. Which of the following may provide a method to evade the firewall’s protection?

A. An ACK scan

B. Firewalking

C. False positive flooding

D. TCP over DNS

A

D. TCP over DNS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is the best choice in setting an NIDS tap?

A. Connect directly to a server inside the DMZ.

B. Connect directly to a server in the intranet.

C. Connect to a SPAN port on a switch.

D. Connect to the console port of a router.

A

C. Connect to a SPAN port on a switch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You have a large packet capture file in Wireshark to review. You want to filter traffic to show all packets with an IP address of 192.168.22.5 that contain the string HR_admin. Which of the following filters would accomplish this task?

A. ip.addr==192.168.22.5 &&tcp contains HR_admin

B. ip.addr 192.168.22.5 && “HR_admin”

C. ip.addr 192.168.22.5 &&tcp string ==HR_admin

D. ip.addr==192.168.22.5 + tcp contains tide

A

A. ip.addr==192.168.22.5 &&tcp contains HR_admin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following techniques can be used to gather information from a fully switched network or to disable some of the traffic isolation features of a switch? (Choose two.)

A. DHCP starvation

B. MAC flooding

C. Promiscuous mode

D. ARP spoofing

A

B. MAC flooding

D. ARP spoofing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is true regarding the discovery of sniffers on a network?

A. To discover the sniffer, ping all addresses and examine latency in responses.

B. To discover the sniffer, send ARP messages to all systems and watch for NOARP responses.

C. To discover the sniffer, configure the IDS to watch for NICs in promiscuous mode.

D. It is almost impossible to discover the sniffer on the network.

A

D. It is almost impossible to discover the sniffer on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following could provide useful defense against ARP spoofing? (Choose all that apply.)

A. Use ARPWALL.

B. Set all NICs to promiscuous mode.

C. Use private VLANs.

D. Use static ARP entries.

A

A. Use ARPWALL.

C. Use private VLANs.

D. Use static ARP entries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Examine the following Snort rule:

Which of the following are true regarding the rule? (Choose all that apply.)

A. This rule will alert on packets coming from the designated home network.

B. This rule will alert on packets coming from outside the designated home address.

C. This rule will alert on packets designated for any port, from port 23, containing the “admin” string.

D. This rule will alert on packets designated on port 23, from any port, containing the “admin” string.

A

B. This rule will alert on packets coming from outside the designated home address.

D. This rule will alert on packets designated on port 23, from any port, containing the “admin” string.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You want to begin sniffing, and you have a Windows 7 laptop. You download and install Wireshark but quickly discover your NIC needs to be in “promiscuous mode.” What allows you to put your NIC into promiscuous mode?

A. Installing lmpcap

B. Installing npcap

C. Installing WinPcap

D. Installing libPcap

E. Manipulating the NIC properties through Control Panel | Network and Internet | Change Adapter Settings

A

C. Installing WinPcap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A network and security administrator installs an NIDS. After a few weeks, a successful intrusion into the network occurs and a check of the NIDS during the timeframe of the attack shows no alerts. An investigation shows the NIDS was not configured correctly and therefore did not trigger on what should have been attack alert signatures. Which of the following best describes the actions of the NIDS?

A. False positives

B. False negatives

C. True positives

D. True negatives

A

B. False negatives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A pen test member has gained access to an open switch port. He configures his NIC for promiscuous mode and sets up a sniffer, plugging his laptop directly into the switch port. He watches traffic as it arrives at the system, looking for specific information to possibly use later. What type of sniffing is being practiced?

A. Active

B. Promiscuous

C. Blind

D. Passive

E. Session

A

D. Passive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following are the best preventive measures to take against DHCP starvation attacks? (Choose two.)

A. Block all UDP port 67 and 68 traffic.

B. Enable DHCP snooping on the switch.

C. Use port security on the switch.

D. Configure DHCP filters on the switch.

A

B. Enable DHCP snooping on the switch.

C. Use port security on the switch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does this line from the Snort configuration file indicate?

var RULE_PATH c:\etc\snort\rules

A. The configuration variable is not in the proper syntax.

B. It instructs the Snort engine to write rule violations in this location.

C. It instructs the Snort engine to compare packets to the rule set named “rules.”

D. It defines the location of the Snort rules.

A

D. It defines the location of the Snort rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following tools is the best choice to assist in evading an IDS?

A. Nessus

B. Nikto

C. Libwhisker

D. Snort

A

C. Libwhisker

17
Q

Examine the Snort output shown here:

Which of the following is true regarding the packet capture?

A. The capture indicates a NOP sled attack.

B. The capture shows step 2 of a TCP handshake.

C. The packet source is 213.132.44.56.

D. The packet capture shows an SSH session attempt.

A

B. The capture shows step 2 of a TCP handshake.

18
Q

Your IDS sits on the network perimeter and has been analyzing traffic for a couple of weeks. On arrival one morning, you find the IDS has alerted on a spike in network traffic late the previous evening. Which type of IDS are you using?

A. Stateful

B. Snort

C. Passive

D. Signature based

E. Anomaly based

A

E. Anomaly based

19
Q

You are performing an ACK scan against a target subnet. You previously verified connectivity to several hosts within the subnet but want to verify all live hosts on the subnet. Your scan, however, is not receiving any replies. Which type of firewall is most likely in use at your location?

A. Packet filtering

B. IPS

C. Stateful

D. Active

A

C. Stateful

20
Q

You are separated from your target subnet by a firewall. The firewall is correctly configured and allows requests only to ports opened by the administrator. In firewalking the device, you find that port 80 is open. Which technique could you employ to send data and commands to or from the target system?

A. Encrypt the data to hide it from the firewall.

B. Use session splicing.

C. Use MAC flooding.

D. Use HTTP tunneling.

A

D. Use HTTP tunneling.

21
Q

Which of the following tools can be used to extract application layer data from TCP connections captured in a log file into separate files?

A. Snort

B. Netcat

C. TCPflow

D. Tcpdump

A

C. TCPflow

22
Q

Examine the Wireshark filter shown here:

ip.src == 192.168.1.1 &&tcp.srcport == 80

Which of the following correctly describes the capture filter?

A. The results will display all traffic from 192.168.1.1 destined for port 80.

B. The results will display all HTTP traffic to 192.168.1.1.

C. The results will display all HTTP traffic from 192.168.1.1.

D. No results will display because of invalid syntax.

A

C. The results will display all HTTP traffic from 192.168.1.1.

23
Q

You need to put the NIC into listening mode on your Linux box, capture packets, and write the results to a log file named my.log. How do you accomplish this with tcpdump?

A. tcpdump -i eth0 -w my.log

B. tcpdump -l eth0 -c my.log

C. tcpdump /i eth0 /w my.log

D. tcpdump /l eth0 /c my.log

A

A. tcpdump -i eth0 -w my.log

24
Q

Which of the following tools can assist with IDS evasion? (Choose all that apply.)

A. Whisker

B. Fragroute

C. Capsa

D. Wireshark

E. ADMmutate

F. Inundator

A

A. Whisker

B. Fragroute

E. ADMmutate

F. Inundator

25
Q

Which command puts Snort into packet logger mode?

A. ./snort -dev -l ./log

B. ./snort –v

C. ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

D. None of the above

A

A. ./snort -dev -l ./log

26
Q

A security administrator is attempting to “lock down” her network and blocks access from internal to external on all external firewall ports except for TCP 80 and TCP 443. An internal user wants to make use of other protocols to access services on remote systems (FTP, as well as some nonstandard port numbers). Which of the following is the most likely choice the user could attempt to communicate with the remote systems over the protocol of her choice?

A. Use HTTP tunneling.

B. Send all traffic over UDP instead of TCP.

C. Crack the firewall and open the ports required for communication.

D. MAC flood the switch connected to the firewall.

A

A. Use HTTP tunneling.

CEH Practical Exams (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions