CEH Certified Ethical Hacker Practice Exams Second Edition (2014)

Sniffing and Evasion

This chapter includes questions from the following topics:

• Learn about sniffing and protocols that are susceptible to sniffing

• Describe active and passive sniffing

• Describe ethical hacking techniques for layer 2 traffic

• Learn about sniffing tools and displays

• Describe sniffing countermeasures

• Learn about intrusion detection system (IDS) types, use, and placement

• Describe signature analysis within Snort

• List IDS evasion techniques

• Learn about firewall types, use, and placement

• Describe firewall hacking tools and techniques

Overhearing a conversation, whether intentionally or via eavesdropping, is just part of our daily lives. Sometimes we sniff conversations without even meaning or trying to—it just happens. Anyone who’s worked in a cube-farm office environment knows how easy it is to overhear conversations even when we don’t want to. Or, if you have kids in your house who don’t yet understand that sound travels, eavesdropping is a constant part of your day.

Sometimes our very nature makes it impossible not to listen in. A study in Psychological Science explored a “paradox of eavesdropping”: It’s harder to not listen to a conversation when someone is talking on the phone (we hear only one side of the dialogue) than when two physically present people are talking to each other. Although the phone conversation contains much less information, we’re much more curious about what’s being said. That means we’re hardwired to want to listen in. We can’t help it.

But come on, admit it—you enjoy it sometimes too. Overhearing a juicy piece of information just makes us happy and, for the gossip crowd, provides lots of ammunition for the next watercooler session. And we all really like secrets. In fact, I think the thrill of learning and knowing a secret is matched only by the overwhelming desire to share it. For those working in the classified arena, this paradox of human nature is something that has to be guarded against every single day of their working lives.

Eavesdropping in the virtual world is almost always not accidental—there’s purpose involved. You don’t necessarily need to put a whole lot of effort into it, but it almost never happens on its own without your purposeful manipulation of something. Sniffing provides all sorts of information to the ethical hacker and is a skill all should be intimately familiar with. Just know that the secrets you overhear on your job as a pen tester might be really exciting, and you might really want to tell somebody about them, but you may find yourself really in jail over it too.

STUDY TIPS Just as with the previous chapter, review your basic network knowledge thoroughly. You’ll see lots of questions designed to test your knowledge on how networking devices handle traffic, how addressing affects packet flow, and which protocols are susceptible to sniffing. Additionally, learn Wireshark very well. Pay particular attention to filters within Wireshark—how to set them up and what syntax they follow—and how to read a capture (not to mention the “follow TCP stream” option). If you haven’t already, download Wireshark and start playing with it—right now, before you even read the questions that follow.

IDS types and ways to get around them won’t make up a gigantic portion of your test, but they’ll definitely be there. Pay particular attention to fragmentation and tunneling.

Snort is another tool you’ll need to know inside and out. Be well versed in configuring rules and reading output from a Snort capture/alert. And when it comes to those captures, oftentimes you can peruse an answer just by pulling out port numbers and such, so don’t panic when you see them.

Lastly, don’t forget your firewall types—you won’t see many questions on identifying a definition, but you’ll probably see a least a couple of scenario questions where this knowledge comes in handy, in particular how stateful firewalls work and what they do.

1. Given the following Wireshark filter, what is the attacker attempting to view?

A. SYN, SYN/ACK, ACK

B. SYN, FIN, URG, and PSH

C. ACK, ACK, SYN, URG

D. SYN/ACK only

2. A target machine (with a MAC of 12:34:56:AB:CD:EF) is connected to a switch port. An attacker (with a MAC of 78:91:00:ED:BC:A1) is attached to a separate port on the same switch with a packet capture running. There is no spanning of ports or port security in place. Two packets leave the target machine. Message 1 has a destination MAC of E1:22:BA:87:AC:12. Message 2 has a destination MAC of FF:FF:FF:FF:FF:FF. Which of the following statements is true regarding the messages being sent?

A. The attacker will see message 1.

B. The attacker will see message 2.

C. The attacker will see both messages.

D. The attacker will see neither message.

3. You have successfully tapped into a network subnet of your target organization. You begin an attack by learning all significant MAC addresses on the subnet. After some time, you decide to intercept messages between two hosts. You begin by sending broadcast messages to Host A showing your MAC address as belonging to Host B. Simultaneously, you send messages to Host B showing your MAC address as belonging to Host A. What is being accomplished here?

A. ARP poisoning to allow you to see all messages from both sides without interrupting their communications process

B. ARP poisoning to allow you to see messages from Host A to Host B, and vice versa

C. ARP poisoning to allow you to see messages from Host A destined to any address

D. ARP poisoning to allow you to see messages from Host B destined to any address

E. Failed ARP poisoning—you will not be able to see any traffic

4. Which of the following represents the loopback address in IPv6?

A. fe80::/10

B. fc00::/7

C. fec0::/10

D. ::1

5. An attacker has successfully tapped into a network segment and has configured port spanning for his connection, which allows him to see all traffic passing through the switch. Which of the following protocols protects any sensitive data from being seen by this attacker?

A. FTP

B. IMAP

C. Telnet

D. POP

E. SMTP

F. SSH

6. You have a large packet capture file in Wireshark to review. You want to filter traffic to show all packets with an IP address of 192.168.22.5 that contain the string HR_admin. Which of the following filters would accomplish this task?

A. ip.addr==192.168.22.5 &&tcp contains HR_admin

B. ip.addr 192.168.22.5 && “HR_admin”

C. ip.addr 192.168.22.5 &&tcp string ==HR_admin

D. ip.addr==192.168.22.5 + tcp contains tide

7. Which of the following techniques can be used to gather information from a fully switched network or to disable some of the traffic isolation features of a switch? (Choose two.)

A. DHCP starvation

B. MAC flooding

C. Promiscuous mode

D. ARP spoofing

8. Which of the following is true regarding the discovery of sniffers on a network?

A. To discover the sniffer, ping all addresses and examine latency in responses.

B. To discover the sniffer, send ARP messages to all systems and watch for NOARP responses.

C. To discover the sniffer, configure the IDS to watch for NICs in promiscuous mode.

D. It is almost impossible to discover the sniffer on the network.

9. Which of the following could provide useful defense against ARP spoofing? (Choose all that apply.)

A. Use ARPWALL.

B. Set all NICs to promiscuous mode.

C. Use private VLANS.

D. Use static ARP entries.

10. Examine the following Snort rule:

Which of the following are true regarding the rule? (Choose all that apply.)

A. This rule will alert on packets coming from the designated home network.

B. This rule will alert on packets coming from outside the designated home address.

C. This rule will alert on packets designated for any port, from port 23, containing the “admin” string.

D. This rule will alert on packets designated on port 23, from any port, containing the “admin” string.

11. You want to begin sniffing, and you have a Windows 7 laptop. You download and install Wireshark but quickly discover your NIC needs to be in “promiscuous mode.” What allows you to put your NIC into promiscuous mode?

A. Installing lmpcap

B. Installing npcap

C. Installing winPcap

D. Installing libPcap

E. Manipulating the NIC properties through Control Panel, Network and Internet, Change Adapter Settings

12. You are attempting to deliver a payload to a target inside the organization; however, it is behind an IDS. You are concerned about successfully accomplishing your task without alerting the IDS monitoring team. Which of the following methods are possible options? (Choose all that apply.)

A. Flood the network with fake attacks.

B. Encrypt the traffic between you and the host.

C. Session hijacking.

D. Session splicing.

13. A pen test member has gained access to an open switch port. He configures his NIC for promiscuous mode and sets up a sniffer, plugging his laptop directly into the switch port. He watches traffic as it arrives at the system, looking for specific information to possibly use later. What type of sniffing is being practiced?

A. Active

B. Promiscuous

C. Blind

D. Passive

E. Session

14. Which of the following are the best preventive measures to take against DHCP starvation attacks? (Choose two.)

A. Block all UDP port 67 and 68 traffic.

B. Enable DHCP snooping on the switch.

C. Use port security on the switch.

D. Configure DHCP filters on the switch.

15. What does this line from the Snort configuration file indicate?

A. The configuration variable is not in the proper syntax.

B. It instructs the Snort engine to write rule violations in this location.

C. It instructs the Snort engine to compare packets to the rule set named “rules.”

D. It defines the location of the Snort rules.

16. Which of the following tools is the best choice to use in sniffing NFS traffic?

A. Macof

B. Snow

C. Filesnarf

D. Snort

17. Examine the Snort output shown here:

Which of the following is true regarding the packet capture?

A. The capture indicates a NOP sled attack.

B. The capture shows step 2 of a TCP handshake.

C. The packet source is 213.132.44.56.

D. The packet capture shows an SSH session attempt.

18. Your IDS sits on the network perimeter and has been analyzing traffic for a couple of weeks. On arrival one morning, you find the IDS has alerted on a spike in network traffic late the previous evening. Which type of IDS are you using?

A. Stateful

B. Snort

C. Passive

D. Signature based

E. Anomaly based

19. You are performing an ACK scan against a target subnet. You previously verified connectivity to several hosts within the subnet but want to verify all live hosts on the subnet. Your scan, however, is not receiving any replies. Which type of firewall is most likely in use at your location?

A. Packet filtering

B. IPS

C. Stateful

D. Active

20. You are separated from your target subnet by a firewall. The firewall is correctly configured and allows requests only to ports opened by the administrator. In firewalking the device, you find that port 80 is open. Which technique could you employ to send data and commands to or from the target system?

A. Encrypt the data to hide it from the firewall.

B. Use session splicing.

C. Use MAC flooding.

D. Use HTTP tunneling.

21. Which of the following tools can be used to extract application layer data from TCP connections captured in a log file into separate files?

A. Snort

B. Netcat

C. TCPflow

D. Tcpdump

22. Examine the Wireshark filter shown here:

Which of the following correctly describes the capture filter?

A. The results will display all traffic from 192.168.1.1 destined for port 80.

B. The results will display all HTTP traffic to 192.168.1.1.

C. The results will display all HTTP traffic from 192.168.1.1.

D. No results will display because of invalid syntax.

23. You need to put the NIC into listening mode on your Linux box, capture packets, and write the results to a log file named my.log. How do you accomplish this with tcpdump?

A. tcpdump -i eth0 -w my.log

B. tcpdump -l eth0 -c my.log

C. tcpdump /i eth0 /w my.log

D. tcpdump /l eth0 /c my.log

24. Which of the following tools can assist with IDS evasion? (Choose all that apply.)

A. Whisker

B. Fragroute

C. Capsa

D. Wireshark

E. ADMmutate

F. Inundator

25. Which command puts Snort into packet logger mode?

A. ./snort -dev -l ./log

B. ./snort -v

C. ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

D. None of the above

26. A security administrator is attempting to “lock down” her network and blocks access from internal to external on all external firewall ports except for TCP 80 and TCP 443. An internal user wants to make use of other protocols to access services on remote systems (FTP, as well as some nonstandard port numbers). Which of the following is the most likely choice the user could attempt to communicate with the remote systems over the protocol of her choice?

A. Use HTTP tunneling.

B. Send all traffic over UDP instead of TCP.

C. Crack the firewall and open the ports required for communication.

D. MAC flood the switch connected to the firewall.

1. A

2. B

3. B

4. D

5. F

6. A

7. B, D

8. D

9. A, C, D

10. B, D

11. C

12. B, D

13. D

14. B, C

15. D

16. C

17. B

18. E

19. C

20. D

21. C

22. C

23. A

24. A, B, E, F

25. A

26. A

1. Given the following Wireshark filter, what is the attacker attempting to view?

A. SYN, SYN/ACK, ACK

B. SYN, FIN, URG, and PSH

C. ACK, ACK, SYN, URG

D. SYN/ACK only

A. You’ll see bunches of Wireshark questions on your exam, and EC-Council just loves the “TCP flags = decimal numbers” side of it all. Wireshark also has the ability to filter based on a decimal numbering system assigned to TCP flags. The assigned flag decimal numbers are FIN = 1, SYN = 2, RST = 4, PSH = 8, ACK = 16, and URG = 32. Adding these numbers together (for example, SYN + ACK = 18) allows you to simplify a Wireshark filter. For example, tcp. flags == 0x2 looks for SYN packets, tcp.flags == 0x16 looks for ACK packets, and tcp.flags == 0x18 looks for both (the attacker here will see all SYN packets, all SYN/ACK packets, and all ACK packets). In this example, the decimal numbers were used, just not in a simplified manner.

B, C, and D are incorrect because these do not match the decimals provided in the capture (2 for SYN, 18 for SYN/ACK, and 16 for ACK).

A. The attacker will see message 1.

B. The attacker will see message 2.

C. The attacker will see both messages.

D. The attacker will see neither message.

B. This question is all about how a switch works, with a little MAC knowledge thrown in. Remember that switches are designed to filter unicast messages but to flood multicast and broadcast messages (filtering goes to only one port, whereas flooding sends to all). Broadcast MAC addresses in the frame are easy to spot—they’re always all Fs, indicating all 48 bits turned on in the address. In this case, message 1 is a unicast address and went off to its destination, whereas message 2 is clearly a broadcast message, which the switch will gladly flood to all ports, including the attacker’s.

A is incorrect because the unicast destination MAC does not match the attacker’s machine. When the frame is read by the switch and compared to the internal address list (CAM table), it will be filtered and sent to the appropriate destination port.

C is incorrect because the switch will not flood both messages to the attacker’s port—it floods only broadcast and multicast.

D is incorrect because the broadcast address will definitely be seen by the attacker.

A. ARP poisoning to allow you to see all messages from both sides without interrupting their communications process

B. ARP poisoning to allow you to see messages from Host A to Host B, and vice versa

C. ARP poisoning to allow you to see messages from Host A destined to any address

D. ARP poisoning to allow you to see messages from Host B destined to any address

E. Failed ARP poisoning—you will not be able to see any traffic

B. ARP poisoning is a relatively simple way to place yourself as the “man in the middle” and spy on traffic. (By the way, be careful with the term man in the middle because it usually refers to a position where you are not interrupting traffic.) The ARP cache is updated whenever your machine does a name lookup or when ARP (a broadcast protocol) receives an unsolicited message advertising a MAC-to-IP match. In this example, you’ve told Host A and Host B that you hold the MAC address for Host B and Host A, respectively. Both machines will update their cache, and when a message is being crafted by the OS, it will happily put the spoofed address in its place. Just remember that ARP poisoning is oftentimes noisy and may be easy to discover if port security is enabled: The port will lock (or amber in nerd terminology) when an incorrect MAC tries to use it or when multiple broadcasts claiming different MACs are seen. Additionally, watch out for denial-of-service side effects of attempting ARP poisoning—you may well bring down a target without even trying to.

A is incorrect for a couple reasons. First, you won’t receive messages from each host addressed to anywhere in the world—you’ll only receive messages addressed from one to the other, and vice versa. Second, the communications flow between the two hosts will be affected by this. As a matter of fact, neither machine can talk to the other, even if you wanted to: The ARP poisoning has all messages going to the hacker.

C is incorrect for a couple reasons. First, it’s referencing only one host when the ARP poisoning is in both directions. Second, you would not get messages from Host A to any destination—only those that are addressed to Host B.

D is incorrect for a couple reasons. First, it’s referencing only one host when the ARP poisoning is in both directions. Second, you would not get messages from Host B to everywhere—only those that are addressed to Host A.

E is incorrect because the ARP poisoning should work fine here, and you will see traffic between the two hosts.

4. Which of the following represents the loopback address in IPv6?

A. fe80::/10

B. fc00::/7

C. fec0::/10

D. ::1

D. You won’t get a ton of IPv6 questions on the exam, but I can almost guarantee you’ll see some variant of this on it. In IPv4, the loopback address was 127.0.0.1. In IPv6, addressing was changed and now uses a 128-bit address instead of the 32-bit IPv4 version. It’s represented as eight groups of four hexadecimal digits separated by colons but can be shortened in display by removing leading zeroes (replaced by a double colon). The loopback address, in full, is 0000:0000:0000:0000:0000:0000:0000:0001, which can be reduced all the way down to ::1.

A is incorrect because this represents the address block reserved for link-local addressing.

B is incorrect because this represents the unique local address (the counterpart of IPv4 private addressing) block.

C is incorrect because prefixes for site local addresses will always be fec0::/10.

A. FTP

B. IMAP

C. Telnet

D. POP

E. SMTP

F. SSH

F. The biggest deterrent you have to sniffing is encryption (as an aside, it’s also the biggest threat to an IDS, but that’s for a different question). All the protocols listed here are susceptible to sniffing in one way or another because they pass information in the clear—that is, with no encryption. SSH is the only one listed that provides secured transmission and is, therefore, the only correct answer. The CEH exam objective here is to ensure you know which protocols pass information in the clear—thus making them easy to sniff—and which do not.

A is incorrect because FTP sends its passwords and all data in clear text. If you’re sniffing the wire and someone logs in with FTP—voilà!—you’ve got it all.

B is incorrect because IMAP also passes all information—including pass-words—in the clear.

C is incorrect because Telnet is another open protocol, passing everything in the clear.

D is incorrect because POP sends all information in clear text.

E is incorrect because SMTP also sends everything in clear text—just look at your e-mail headers if you doubt me.

A. ip.addr==192.168.22.5 &&tcp contains HR_admin

B. ip.addr 192.168.22.5 && “HR_admin”

C. ip.addr 192.168.22.5 &&tcp string ==HR_admin

D. ip.addr==192.168.22.5 + tcp contains tide

A. This is a perfect example of a typical Wireshark question on your exam (and you will see a couple). This is the only answer that sticks to Wireshark filter syntax. Definitely know the ip.addr, ip.src, and ip.dst filters; the “tcp contains” filter is another favorite of test question writers. When you combine filters in one search, use the && designator.

B, C, and D are all incorrect because the syntax is wrong for Wireshark filters. As an aside, a great way to learn the syntax of these filters is to use the expression builder directly beside the filter entry box. It’s self-explanatory and contains thousands of possible expression builds.

7. Which of the following techniques can be used to gather information from a fully switched network or to disable some of the traffic isolation features of a switch? (Choose two.)

A. DHCP starvation

B. MAC flooding

C. Promiscuous mode

D. ARP spoofing

B and D. Switches filter all traffic—unless you tell them otherwise, make them behave differently, or the traffic is broadcast or multicast. If you can gain administrative access to the IOS, you can tell it to behave otherwise by configuring a span port (which sends copies of messages from all ports to yours). Legitimate span ports are designed for things such as network IDS. To make the switch behave differently (at least on older switches because newer ones don’t allow this much anymore), send more MAC addresses to the switch than it can handle. This fills the CAM and turns the switch, effectively, into a hub (sometimes called a fail open state). Using a tool such as MacOF or Yersinia, you can send thousands and thousands of fake MAC addresses to the switch’s CAM table. ARP spoofing doesn’t really involve the switch much at all—it continues to act and filter traffic just as it was designed to do. The only difference is you’ve lied to it by faking a MAC address on a connected port. The poor switch, believing those happy little ARP messages, will forward all packets destined for that MAC address to you instead of the intended recipient. How fun!

A is incorrect because DHCP starvation is a form of a DoS attack, where the attacker “steals” all the available IP addresses from the DHCP server, which prevents legitimate users from connecting.

C is incorrect because the term promiscuous applies to the way a NIC processes messages. Instead of tossing aside all messages that are not addressed specifically for the machine (or broadcast/multicast), promiscuous mode says, “Bring ’em all in so we can take a look at them using our handy sniffing application.”

8. Which of the following is true regarding the discovery of sniffers on a network?

A. To discover the sniffer, ping all addresses and examine latency in responses.

B. To discover the sniffer, send ARP messages to all systems and watch for NOARP responses.

C. To discover the sniffer, configure the IDS to watch for NICs in promiscuous mode.

D. It is almost impossible to discover the sniffer on the network.

D. I’m not saying it’s impossible, because almost nothing is, but discovering a sniffer on your network is difficult. When a NIC is set to promiscuous mode, it just blindly accepts any packet coming by and sends it up the layers for further processing (which is what allows Wireshark and other sniffers to analyze the traffic). Because they’re sitting there pulling traffic and not sending anything in order to get it, they’re difficult to detect. Certainly if a machine is ARP spoofing or MAC flooding in order to pull off sniffing, it’s easy to spot them, but passive sniffing is difficult.

A is incorrect because the premise is absolutely silly. Thousands of things can affect latency in response to a ping, but running a sniffer on the box isn’t necessarily one of them, nor an indicator of one being present.

B is incorrect because NOARP is a Linux kernel module that filters and drops unwanted ARP requests. It’s not a response packet we can discover sniffers with.

C is incorrect because it’s impossible to watch for NICs in promiscuous mode. The NIC is simply doing the same job every other NIC is doing—it’s sitting there pulling traffic. The network IDS wouldn’t know, or care, about it.

9. Which of the following could provide useful defense against ARP spoofing? (Choose all that apply.)

A. Use ARPWALL.

B. Set all NICs to promiscuous mode.

C. Use private VLANS.

D. Use static ARP entries.

A, C, and D. ARPWALL (http://sourceforge.net/projects/arpwall/) is an application available for download from SourceForge. It gives an early warning when an ARP attack occurs and simply blocks the connection. Virtual LANs (VLANS) provide a means to create multiple broadcast domains within a single network. Machines on the same switch are in different networks, and their traffic is isolated. Since ARP works on broadcast, this can help prevent large-scale ARP spoofing. Static ARP entries are a great idea and probably the only true way to fix it all, since no matter what is banging around out on the network, the system uses the static mapping you configured. An IDS may also be helpful in spotting ARP naughtiness starting but wouldn’t necessarily do anything about it.

B is incorrect because setting NICS to promiscuous mode wouldn’t do a thing to prevent a broadcast message (ARP) from being received.

10. Examine the following Snort rule:

Which of the following are true regarding the rule? (Choose all that apply.)

A. This rule will alert on packets coming from the designated home network.

B. This rule will alert on packets coming from outside the designated home address.

C. This rule will alert on packets designated for any port, from port 23, containing the “admin” string.

D. This rule will alert on packets designated on port 23, from any port, containing the “admin” string.

B and D. Snort rules, logs, entries, and configuration files will definitely be part of your exam. This particular rule takes into account a lot of things you’ll see. First, note the exclamation mark (!) just before the HOME_NET variable. Any time you see this, it indicates the opposite of the following variable—in this case, any packet from an address not in the home network and using any source port number, intended for any address that is within the home network. Following that variable is a spot for a port number, and the word any indicates we don’t care what the source port is. Next, we spell out the destination information: anything in the home network and destined for port 23. Lastly, we add one more little search before spelling out the message we want to receive: The “content” designator allows us to spell out strings we’re looking for.

A and C are incorrect because these statements are polar opposite to what the rule is stating.

A. Installing lmpcap

B. Installing npcap

C. Installing winPcap

D. Installing libPcap

E. Manipulating the NIC properties through Control Panel, Network and Internet, Change Adapter Settings

C. To understand this, you have to know how a NIC is designed to work. The NIC “sees” lots of traffic but pulls in only the traffic it knows belongs to you. It does this by comparing the MAC address of each frame against its own: If they match, it pulls the frame in and works on it; if they don’t match, the frame is ignored. If you plug a sniffer into a NIC that looks only at traffic designated for the machine you’re on, you’ve kind of missed the point, wouldn’t you say? Promiscuous mode tells the NIC to pull in everything. This allows you to see all those packets moving to and fro inside your collision domain. WinPcap is a library that allows NICs on Windows machines to operate in promiscuous mode.

A is incorrect because lmpcap does not exist.

B is incorrect because npcap does not exist.

D is incorrect because libPcap is used on Linux machines for the same purpose—putting cards into promiscuous mode.

E is incorrect because accessing the Change Adapter Setting window does not allow you to put the card into promiscuous mode—you still need winPcap for this.

A. Flood the network with fake attacks.

B. Encrypt the traffic between you and the host.

C. Session hijacking.

D. Session splicing.

B and D. Encryption has always been the enemy of network IDS. After all, if the traffic is encrypted and we can’t see it, what good does it do to have a monitoring system look at the garbled bits? Granted, it would seem difficult to set up encryption between the target host and yourself, but it is plausible and, therefore, a good answer. Session splicing is a great tool to use as well. In session splicing, you put a payload into packets the IDS usually ignores, such as SYN segments. The fragments can then be reassembled later on the target machine. (If you want to get really sneaky, send them out of order.)

A is incorrect, but just barely so. Yes, flooding a network with fake attacks can definitely work. The cover fire from all the other attacks should allow you to sneak by. However, there is no way to accomplish this without alerting the monitoring team—after all, the objective is to keep them busy looking at all those fake attacks long enough for you to pull off a real one. Keep in mind that if you’re going to attempt this method, you’ll need a block of sacrificial IP addresses you won’t mind losing. The security staff will, no doubt, see your initial attempts and start blocking those IPs from network access. If you’re hoping to provide cover fire for a “real” attack, you’ll need to have plenty of “pawn” IPs to sacrifice.

C is incorrect because session hijacking has almost nothing to do with IDS evasion. It has a lot to do with guessing sequence numbers and leaping into the middle of an existing, already-authenticated communications channel, but we’re not on that chapter yet. Granted, you may be able to make use of some firewall applications or web sessions to bypass some IDS filters, but that’s not the intent of this question (nor is that how it will be phrased on your exam).

A. Active

B. Promiscuous

C. Blind

D. Passive

E. Session

D. This is one of those weird CEH definitions that drive us all crazy on the exam. Knowing the definition of passive versus active isn’t really going to make you a better pen tester, but it may save you a question on the test. When it comes to sniffing, if you are not injecting packets into the stream, it’s a passive exercise. Tools such as Wireshark are passive in nature. A tool such as Ettercap, though, has built-in features to trick switches into sending all traffic their way, and all sorts of other sniffing hilarity. This type of sniffing, where you use packet interjection to force a response, is active in nature. As a quick aside here for you real-world preppers out there, true passive sniffing with a laptop is pretty difficult to pull off. As soon as you attach a Windows machine, it’ll start broadcasting all kinds of stuff (ARP, etc.) which is, technically, putting packets on the wire. The real point is that passive sniffing is a mind-set where you are not intentionally putting packets on a wire.

A is incorrect because in the example given, no packet injection is being performed. The pen tester is simply hooking up a sniffer and watching what comes by. The only way this can be more passive is if he has a hammock nearby.

B is incorrect because the term promiscuous is not a sniffing type. Instead, it refers to the NIC’s ability to pull in frames that are not addressed specifically for it.

C is incorrect because the term blind is not a sniffing type. This is included as a distractor.

E is incorrect because the term session is not a sniffing type. This is included as a distractor.

14. Which of the following are the best preventive measures to take against DHCP starvation attacks? (Choose two.)

A. Block all UDP port 67 and 68 traffic.

B. Enable DHCP snooping on the switch.

C. Use port security on the switch.

D. Configure DHCP filters on the switch.

B and C. DHCP starvation is a denial-of-service attack EC-Council somehow slipped into the sniffing section. The attack is pretty straightforward: The attacker requests all available DHCP addresses from the server, so legitimate users cannot pull an address and connect or communicate with the network subnet. DHCP snooping on a Cisco switch (using the ip dhcp snooping command) creates a whitelist of machines that are allowed to pull a DHCP address. Anything attempting otherwise can be filtered. Port security, while not necessarily directly related to the attack, can be a means of defense as well. By limiting the number of MACs associated with a port, as well as whitelisting which specific MACs can address it, you could certainly reduce an attacker’s ability to drain all DHCP addresses.

A is incorrect because blocking all UDP 67 and 68 traffic would render the entire DHCP system moot because no one could pull an address.

D is incorrect because DHCP filtering is done on the server and not the switch. DHCP filtering is configuring the whitelist on the server itself.

15. What does this line from the Snort configuration file indicate?

A. The configuration variable is not in proper syntax.

B. It instructs the Snort engine to write rule violations in this location.

C. It instructs the Snort engine to compare packets to the rule set named “rules.”

D. It defines the location of the Snort rules.

D. The var RULE_PATH entry in the config file defines the path to the rules for the IDS—in this case, they will be located in C:\etc\snort\rules. The rules container will hold tons of rule sets, with each available for you to “turn on.” If you were configuring Snort to watch for fantasy football traffic, for example, you would tell it to look for all the rules in this container and then turn on the rule set you defined for fantasy football connection attempts.

A is incorrect because this configuration line is in proper syntax.

B is incorrect because this variable is not designed for that purpose. The rule violations will be written to a log file that you designate when starting the Snort engine. For example, the command

starts Snort and has the log file located at c:\snort\log.

C is incorrect because the “include” variable is the one used for this purpose. Within this same configuration file, for example, you may have a rule set named fantasy.rules. To get Snort to alert on them, you point the configuration files to where all the rules are (accomplished by the variable RULE_PATH), and then you tell it which of the rule sets to bring into play:

16. Which of the following tools is the best choice to use in sniffing NFS traffic?

A. Macof

B. Snow

C. Filesnarf

D. Snort

C. In yet another specific tool knowledge question, EC-Council wants you to know that filesnarf (www.irongeek.com/i.php?page=backtrack-3-man/filesnarf) is designed specifically with NFS in mind. It saves files sniffed from NFS traffic into the current working directory.

A is incorrect because macof is a MAC flooding tool.

B is incorrect because snow is a steganography tool.

D is incorrect because Snort, while a perfectly acceptable sniffer, isn’t designed specifically for NFS and isn’t the best choice available here.

17. Examine the Snort output shown here:

Which of the following is true regarding the packet capture?

A. The capture indicates a NOP sled attack.

B. The capture shows step 2 of a TCP handshake.

C. The packet source is 213.132.44.56.

D. The packet capture shows an SSH session attempt.

B. You’ll probably see at least one or two Snort capture logs on the exam, and most of them are just this easy. If you examine the capture log, it shows a TCP port 23 packet from 190.168.5.12 headed toward 213.132.44.56. The TCP flags are clearly shown in line 5 as ***A**S*, indicating the SYN and ACK flags are set. Because the three-way handshake is SYN, SYN/ACK, and ACK—voilà!—we’ve solved another one!

A is incorrect because this is a single packet that is not attempting a NOP sled in any shape or form.

C is incorrect because this answer has it in reverse—the source is 190.168.5.12.

D is incorrect because the port number shown in the capture is 23 (Telnet), not 22 (SSH).

A. Stateful

B. Snort

C. Passive

D. Signature based

E. Anomaly based

E. The scenario described here is precisely what an anomaly- or behavior-based system is designed for. The system watches traffic and, over time, develops an idea of what “normal” traffic looks like—everything from source and destinations, ports in use, and times of higher data flows. In one sense, it’s better than a plain signature-based system because it can find things heuristically based on behavior; however, anomaly-based systems are notorious for the number of false positives they spin off—especially early on.

A is incorrect because stateful refers to a firewall type, not an IDS.

B is incorrect because Snort is a signature-based IDS.

C is incorrect because the term passive isn’t associated with IDS. Now, an IDS can react to an alert by taking action to stop or prevent an attack, but this is referred to as an intrusion prevention system (IPS), not active or passive.

D is incorrect because a signature-based IDS isn’t going to care about the amount of traffic going by, nor what time it decides to do so. A signature-based IDS simply compares each packet against a list (signature file) you configure it to look at. If it doesn’t match anything in the signature file, then no action is taken.

A. Packet filtering

B. IPS

C. Stateful

D. Active

C. Most people think of a firewall as a simple packet filter, examining packets as they are coming in against an access list—if the port is allowed, let the packet through. However, the stateful inspection firewall has the ability to examine all sorts of information about a packet—including the payload—and make a determination on the state of the packet. For a common (dare I say, textbook) example, if a stateful firewall receives an ACK packet, it’s smart enough to know whether there is an associated SYN packet that originated from inside the network to go along with it. If there isn’t not—that is, if communications did not start from inside the subnet—it’ll drop the packet.

A is incorrect because a packet-filtering firewall wouldn’t bother with the flags. It would be concerned about what port the packet was headed to. If, for instance, you host a web page out of that subnet but not an FTP server, your firewall should be set up to allow port 80 in but not port 21.

B is incorrect because an intrusion prevention system (IPS) isn’t a firewall at all. It’s a network-monitoring solution that has the capability of recognizing malicious traffic and taking action to prevent or stop the attack.

D is incorrect because the term active is not associated with a firewall type. This is included as a distractor.

A. Encrypt the data to hide it from the firewall.

B. Use session splicing.

C. Use MAC flooding.

D. Use HTTP tunneling.

D. HTTP tunneling is a successful “hacking” technique, but it’s hardly new. Microsoft makes use of HTTP tunneling for lots of things, and it has been doing so for years. The tactic is fairly simple: Because port 80 is almost never filtered by a firewall, you can craft port 80 segments to carry a payload for protocols the firewall may have otherwise blocked. Of course, you’ll need something on the other end to pull the payload out of all those port 80 packets that IIS is desperately wanting to answer, but that’s not altogether difficult.

A is incorrect because encryption won’t do a thing for you here. The firewall isn’t looking necessarily at content/payload—it’s looking at the packet/frame header and port information. Encryption is a good choice to get around an IDS, not a firewall.

B is incorrect because session splicing is a technique for evading an IDS, not a firewall. Again, the firewall is interested in the packet and frame header, not what fragments of code you’ve hidden in the payload.

C is incorrect because MAC flooding is a technique for sniffing switches. The idea is to fill the CAM table to the brim with thousands of useless MAC addresses. This effectively turns the switch into a hub, because it is too confused to filter and just begins flooding all traffic to all ports.

21. Which of the following tools can be used to extract application layer data from TCP connections captured in a log file into separate files?

A. Snort

B. Netcat

C. TCPflow

D. Tcpdump

C. TCPflow (https://github.com/simsong/tcpflow/wiki/tcpflow%E2%80%94-A-tcp-ip-session-reassembler) is “a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored ‘tcpdump’ packet flows. tcpflow is similar to ‘tcpdump’, in that both process packets from the wire or from a stored file. But it’s different in that it reconstructs the actual data streams and stores each flow in a separate file for later analysis.”

A is incorrect because Snort is a great IDS, sniffer, and packet logger, but it isn’t so great about separating TCP streams for application layer analysis.

B is incorrect because netcat (the Swiss Army knife of hacking, as it’s called) isn’t designed for sniffing and packet analysis.

D is incorrect because tcpdump will certainly pull everything for you but does not reconstruct the actual data streams or store each flow in a separate file for later analysis.

22. Examine the Wireshark filter shown here:

Which of the following correctly describes the capture filter?

A. The results will display all traffic from 192.168.1.1 destined for port 80.

B. The results will display all HTTP traffic to 192.168.1.1.

C. The results will display all HTTP traffic from 192.168.1.1.

D. No results will display because of invalid syntax.

C. Wireshark filters will be covered quite a bit on your exam, and, as stated earlier, these are easy questions for you. The preceding syntax designates the source IP and combines it with a source TCP port. This is effectively looking at all answers to port 80 requests by 192.168.1.1. As another important study tip, watch for the period (.) between “ip” and “src:” on the exam because they’ll drop it or change it to a dash (-) to trick you. And lastly, for real-world application, it’s important to note that Wireshark considers certain friendly terms such as HTTP as simple placeholders for the actual port. This means in Wireshark, HTTP and 80 are more or less identical. As a budding ethical hacker, you should know by now that even though something is traveling on port 80, it may or may not be HTTP traffic.

A is incorrect because port 80 is defined as the source port, not the destination. 192.168.1.1 is answering a request for an HTML page.

B is incorrect because 192.168.1.1 is defined as the source address, not the destination.

D is incorrect because the syntax is indeed correct.

23. You need to put the NIC into listening mode on your Linux box, capture packets, and write the results to a log file named my.log. How do you accomplish this with tcpdump?

A. tcpdump -i eth0 -w my.log

B. tcpdump -l eth0 -c my.log

C. tcpdump/i eth0 /w my.log

D. tcpdump/l eth0 /c my.log

A. Tcpdump syntax is simple: tcpdump flag(s) interface. The -i flag specifies the interface (in this example, eth0) for tcpdump to listen on, and the -w flag defines where you want your packet log to go. For your own study, be aware that many study references—including EC-Council’s official reference books—state that the -i flag “puts the interface into listening mode.” It doesn’t actually modify the interface at all, so this is a little bit of a misnomer—it just identifies to tcpdump which interface to listen on for traffic. Lastly, be aware that the -w flag dumps traffic in binary format. If you want it readable, you’ll need to have it display onscreen. Better yet, you can dump it to a file using the | designator and a filename.

B is incorrect because the -l flag does not put the interface in listening mode; it actually has to do with line buffering.

C and D are incorrect for the same reason; flags are designated with a dash (-) not a slash (/).

24. Which of the following tools can assist with IDS evasion? (Choose all that apply.)

A. Whisker

B. Fragroute

C. Capsa

D. Wireshark

E. ADMmutate

F. Inundator

A, B, E, and F. IDS evasion comes down to a few methods: encryption, flooding, and fragmentation (session splicing). Whisker is an HTTP scanning tool but also has the ability to craft session-splicing fragments. Fragroute intercepts, modifies, and rewrites egress traffic destined for the specified host and can be used to fragment an attack payload over multiple packets. ADMmutate can create multiple scripts that won’t be easily recognizable by signature files, and Inundator is a flooding tool that can help you hide in the cover fire.

C and D are incorrect because both Capsa (Colasoft) and Wireshark are sniffers.

25. Which command puts Snort into packet logger mode?

A. ./snort -dev -l ./log

B. ./snort -v

C. ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

D. None of the above

A. This is the proper syntax to start Snort in packet logger mode. Assuming you have the /log folder created, Snort will start happily logging packets as it captures them. Here are some other flags of note within this command:

• -v puts Snort in verbose mode, to look at all packets.

• -d includes the application layer information, when used with the -v argument.

• -e includes the data link layer information with the packet.

When put altogether, the -dev arguments tell Snort to display all packet data, including the headers.

B is incorrect because this syntax starts Snort in sniffer mode, meaning packet headers will be displayed directly to the screen.

C is incorrect because this syntax starts Snort in network intrusion detection mode. Yes, the -l switch logs files, but the bigger issue for you here is the addition of the -c switch, indicating the configuration file the NIDS needs.

D is incorrect because the correct syntax is indeed displayed.

A. HTTP tunneling.

B. Send all traffic over UDP instead of TCP.

C. Crack the firewall and open the ports required for communication.

D. MAC flood the switch connected to the firewall.

A. If you happen to own the companion book to this practice exams tome, you’re undoubtedly aware by now we harp on protocols not necessarily being tied to a given port number in the real world. Sure, FTP is supposed to be on TCP port 21, SMTP is supposed to ride on 25, and Telnet is supposed to be on 23, but the dirty little truth is they don’t have to. An HTTP tunnel is a brilliant example of this. To the firewall and everyone else watching, traffic from your machine is riding harmless little old port 80—nothing to see here folks, just plain old, regular HTTP traffic. But a peek inside that harmless little tunnel shows you can run anything you want. Typically you connect to an external server over port 80, and it will unwrap and forward your other protocol traffic for you, once you’ve gotten it past your pesky firewall.

B is incorrect because, well, this is just a ridiculous answer. UDP ports are filtered by a firewall just like TCP ports, so sending only UDP would be useless.

C is incorrect because while it would certainly allow the communication, it wouldn’t be for very long. Every sensor on the network would be screaming, and the happy little security admin would lock it back down ASAP. Not to mention, you’d get fired.

D is incorrect because MAC flooding refers to active sniffing on a switch, not bypassing a firewall.