CEH Certified Ethical Hacker Practice Exams Second Edition (2014)

Trojans and Other Attacks

This chapter includes questions from the following topics:

• Define Trojans and their purpose

• Identify common Trojan ports

• Identify Trojan deployment methods

• Identify Trojan countermeasures

• Define viruses and worms

• Identify virus countermeasures

• Describe DoS attacks

• Define common DoS attack types

• Describe session hijacking and sequence prediction

When you’re a dad, you tend to pile up gross stories of fixing things, savings things, and cleaning up things. By the time your kids get to be 6 or 7 years old, you feel like you probably should’ve spent half of the previous few years in a hazmat suit or being decontaminated in some full-body spray-down room. Kids have a unique way of taking something simple and turning it into an experience parents need counseling for to deal with in the future. And as bad as it is when they’re toddlers, it gets worse as they get older—because they introduce a whole new set of tools to enrich your life.

The first time I ever plunged a toilet I was a 24-year-old father of two little girls. The girls had gotten more than a little carried away with the paper and had to, um, continue afterward even though the toilet was clogged. By the time I got in there, it was out of hand, and plunging the thing was inevitable. I didn’t want to do it, and I certainly didn’t enjoy it, but I grabbed the tool at hand to get the job done and performed the duties I was called upon to complete.

Much like that old wooden-handled plunger I used back in the mid-1990s, your pen test tool set can be augmented by visiting the dark side yourself, wielding tools and actions that may seem a bit unsavory to you. Although you may not think of malware and viruses as pen test methods, they’re definitely tools in the arsenal and something you really need to know about—for your job and especially this exam.

STUDY TIPS Most of the questions from the malware sections—especially those designed to trip you up—will be of the pure memorization type. Stick with key words for each definition (it’ll help you in separating good answers from bad ones), especially for the virus types. Don’t miss an easy point on the exam because you forgot the difference between polymorphic and multipartite or why a worm is different from a virus. Tool identification should also be relatively straightforward (assuming you commit all those port numbers to memory, like I told you to do).

Finally, as always, get rid of the answers you know to be wrong in the first place. It’s actually easier sometimes to identify the ones you downright know aren’t relevant to the question. Then, from the remainder, you can scratch your gray matter for the key word that will shed light on the answer.

1. Examine the Wireshark TCP flow capture here:

Which of the following represents the next appropriate acknowledgment from Host A?

A. Sequence Number 701, Acknowledgment Number 3986

B. Sequence Number 701, Acknowledgment Number 2664

C. Sequence Number 2664, Acknowledgment Number 2023

D. Sequence Number 2664, Acknowledgment Number 701

2. You have established a Netcat connection to a target machine. Which flag can be used to launch a program?

A. –p

B. –a

C. –l

D. –e

3. Which database type was targeted by the Slammer worm?

A. Microsoft SQL

B. MySQL

C. Oracle

D. Sybase

4. Which virus type will rewrite itself after each new infection?

A. Multipartite

B. Metamorphic

C. Cavity

D. Macro

5. A pen test colleague is carrying out attacks. In one attack, she attempts to guess the ISN for a TCP session. Which attack is she most likely carrying out?

A. XSS

B. Session splicing

C. Session hijacking

D. Multipartite attack

6. Which of the following malware types does not require user intervention to spread?

A. Trojan

B. Virus

C. Worm

D. Polymorphic

7. An attacker is attempting a DoS attack against a machine. She first spoofs the target’s IP address and then begins sending large amounts of ICMP packets containing the MAC address FF:FF:FF:FF:FF:FF. What attack is underway?

A. ICMP flood

B. Ping of death

C. SYN flood

D. Smurf

E. Fraggle

8. Tripwire is one of the most popular tools to protect against Trojans. Which of the following statements best describes Tripwire?

A. Tripwire is a signature-based antivirus tool.

B. Tripwire is a vulnerability assessment tool used for port scanning.

C. Tripwire is a file integrity program.

D. Tripwire is a session-splicing tool.

9. Which of the following tools are good choices for session hijack attempts? (Choose all that apply.)

A. Ettercap

B. Netcat

C. Hunt

D. Nessus

10. In regard to Trojans, which of the following best describes a wrapper?

A. The legitimate file the Trojan is attached to

B. A program used to bind the Trojan to a legitimate file

C. Encryption methods used for a Trojan

D. Polymorphic code used to avoid detection by antivirus programs

11. Which of the following are true regarding BugBear and Pretty Park? (Choose three.)

A. Both programs make use of e-mail.

B. Pretty Park propagates via network shares and e-mail.

C. BugBear propagates via network shares and e-mail.

D. Pretty Park uses an IRC server to send your personal passwords.

E. Pretty Park terminates antivirus applications.

12. Which of the following is a legitimate communication path for the transfer of data?

A. Overt

B. Covert

C. Authentic

D. Imitation

E. Actual

13. In what layer of the OSI reference model is session hijacking carried out?

A. Data link layer

B. Transport layer

C. Network layer

D. Physical layer

14. A pen test team member types the following command:

Which of the following is true regarding this attempt?

A. The attacker is attempting to connect to an established listening port on a remote computer.

B. The attacker is establishing a listening port on his machine for later use.

C. The attacker is attempting a DoS against a remote computer.

D. The attacker is attempting to kill a service on a remote machine.

15. Examine the partial command-line output listed here:

Which of the following is a true statement regarding the output?

A. This is output from a netstat –an command.

B. This is output from a netstat –b command.

C. This is output from a netstat –e command.

D. This is output from a netstat –r command.

16. You are discussing malware with a new pen test member who asks about restarting executables. Which registry keys within Windows automatically run executables and instructions? (Choose all that apply.)

A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServicesOnce

B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices

C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce

D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

17. Which of the following best describes a covert channel?

A. An application using a port number that is not well-known

B. Using a protocol in a way it is not intended to be used

C. Multiplexing a communication link

D. WEP encryption channels

18. Which denial-of-service attack involves sending SYN packets to a target machine but never responding to any of the SYN/ACK replies?

A. SYN flood

B. SYN attack

C. Smurf

D. LOIC

19. Which of the following takes advantage of weaknesses in the fragment reassembly functionality of TCP/IP?

A. Teardrop

B. SYN flood

C. Smurf attack

D. Ping of death

20. IPSec is an effective preventative measure against session hijacking. Which IPSec mode encrypts only the data payload?

A. Transport

B. Tunnel

C. Protected

D. Spoofed

21. Which type of session hijacking is displayed in Figure 8-1?

A. Cross-site scripting attack

B. SQL injection attack

C. Token sniffing attack

D. Session fixation attack

Figure 8-1 Session hijacking example

22. Which of the following best describes the comparison between spoofing and session hijacking?

A. Spoofing and session hijacking are the same thing.

B. Spoofing interrupts a client’s communication, whereas hijacking does not.

C. Hijacking interrupts a client’s communication, whereas spoofing does not.

D. Hijacking emulates a foreign IP address, whereas spoofing refers to MAC addresses.

23. Which of the following is an effective deterrent against session hijacking?

A. Install and use a HIDS on the system.

B. Install and use Tripwire on the system.

C. Enforce good password policy.

D. Use unpredictable sequence numbers.

24. A pen test team member types the following command:

Which of the following are true regarding this command? (Choose all that apply.)

A. Ettercap is being configured for a GUI interface.

B. Ettercap is being configured as a sniffer.

C. Ettercap is being configured for text mode.

D. Ettercap is being configured for manual mode.

E. Ettercap is being configured for a man-in-the-middle attack.

25. Within a TCP packet dump, a packet is noted with the SYN flag set and a sequence number set at A13F. What should the acknowledgment number in the return SYN/ACK packet be?

A. A131

B. A130

C. A140

D. A14F

26. When is session hijacking performed?

A. Before the three-step handshake

B. During the three-step handshake

C. After the three-step handshake

D. After a FIN packet

1. B

2. D

3. A

4. B

5. C

6. C

7. D

8. C

9. A, C

10. B

11. A, C, D

12. A

13. B

14. A

15. A

16. A, B, C, D

17. B

18. A

19. A

20. A

21. D

22. C

23. D

24. C, E

25. C

26. C

1. Examine the Wireshark TCP flow capture here:

Which of the following represents the next appropriate acknowledgment from Host A?

A. Sequence Number 701, Acknowledgment Number 2664

B. Sequence Number 701, Acknowledgment Number 3986

C. Sequence Number 2664, Acknowledgment Number 2023

D. Sequence Number 2664, Acknowledgment Number 701

B. Sequence and acknowledgment number prediction can get really, really confusing when you take all the options into account—acknowledgment numbers, window sizes, and so on—but thankfully it’ll be pretty easy on your exam. An acknowledgment packet will recognize the agreed-upon sequence number (in this case, 701) and then acknowledge receipt of the previous packet by incrementing the acknowledgment number with the packet size of the receipt. In this example, the agreed-upon sequence number is 701, and the receipt of the previous packet is acknowledged by adding the previous sequence number (2664) to the packet length (1322): 2664 + 1322 = 3986.

A, C, and D are incorrect choices because the sequence and acknowledgment numbers do not add up. You can follow the preceding TCP stream and watch the acknowledgment number increment by the packet length. You can also see this at home: Open a Wireshark session and capture a TCP session; then choose Statistics, Flow Graph, and TCP Flow.

2. You have established a Netcat connection to a target machine. Which flag can be used to launch a program?

A. –p

B. –a

C. –l

D. –e

D. Netcat is often referred to as the Swiss Army knife of hacking efforts. You can use it to set up a listening port on target machines that you can then revisit to wreak all sorts of havoc. The flag associated with launching a program is –e. For example, issuing the command

will open a Windows command shell on the target machine; the –t flag sets up a telnet connection over the port you defined with the –p flag (12657).

A is incorrect because the –p flag indicates the protocol port you want to use for your session.

B is incorrect because –a is not a recognized Netcat flag.

C is incorrect because the –l flag indicates Netcat should open the port for listening. As an aside, the –L flag does the same thing; however, it restarts listening after the inbound session completes.

3. Which database type was targeted by the Slammer worm?

A. Microsoft SQL

B. MySQL

C. Oracle

D. Sybase

A. The Slammer worm, a.k.a. SQL Slammer, wreaked havoc in Microsoft SQL installations in 2003. It exploited a buffer-overflow vulnerability in SQL Server 2000 and propagated via UDP port 1434. Microsoft’s MS02-039 patch resolved the issues but not before thousands of machines were infected.

B, C, and D are incorrect because Slammer did not affect these SQL server types.

4. Which virus type will rewrite itself after each new infection?

A. Multipartite

B. Metamorphic

C. Cavity

D. Macro

B. EC-Council defines several different virus types, depending on what the virus does, how it acts, and how it is written. In the case of a metamorphic virus, it will rewrite itself each time it infects a new file. Metamorphic viruses write versions of themselves in machine code, making it easy to port to different machines.

A is incorrect because multipartite viruses do not rewrite themselves. They attempt to infect and spread in multiple ways and try to infect files and the boot sector at the same time. They can spread quickly and are notoriously hard to clean.

C is incorrect because a cavity virus writes itself into unused space within a file. The idea is to maintain the file’s size.

D is incorrect because macro viruses do not rewrite themselves. Macro viruses usually attack Microsoft Office files, executing as a macro within the file itself (anyone who’s ever been stuck in Excel purgatory should be familiar with macros within a spreadsheet). Melissa (a famous virus attacking Microsoft Word 1997) is a classic example of a macro virus.

5. A pen test colleague is carrying out attacks. In one attack, she attempts to guess the ISN for a TCP session. Which attack is she most likely carrying out?

A. XSS

B. Session splicing

C. Session hijacking

D. Multipartite attack

C. The idea behind session hijacking is fairly simple: The attacker waits for a session to begin and, after all the pesky authentication gets done, jumps in to steal the session for herself. In practice, it’s a little harder and more complicated than that, but the key to the whole attack is in determining the initial sequence number (ISN) used for the session. The ISN is sent by the initiator of the session in the first step (SYN). This is acknowledged in the second handshake (SYN/ACK) by incrementing that ISN by 1, and then another ISN is generated by the recipient. This second number is acknowledged by the initiator in the third step (ACK) and from there on out communication can occur. Per EC-Council, the following steps describe the session hijack:

1. Sniff the traffic between the client and the server.

2. Monitor the traffic and predict the sequence numbering.

3. Desynchronize the session with the client.

4. Predict the session token and take over the session.

5. Inject packets to the target server.

For what it’s worth, pulling this attack off via EC-Council’s take on the whole matter requires you to do some fairly significant traffic sniffing. And if you’re already positioned to sniff the traffic in the first place, wouldn’t the whole scenario possibly be a moot point? You need to know it for the exam, but real-world application may be small and rare.

A is incorrect because cross-site scripting is a web application attack.

B is incorrect because session splicing is an IDS evasion method. The attacker delivers a payload that the IDS would have otherwise seen by “slicing” it over multiple packets. The payload can be spread out over a long period of time.

D is incorrect because multipartite refers to a virus type, not an attack that requires ISN determination.

6. Which of the following malware types does not require user intervention to spread?

A. Trojan

B. Virus

C. Worm

D. Polymorphic

C. A worm is a self-replicating malware computer program that uses a computer network to send copies of itself to other systems without human intervention. Usually it doesn’t necessarily alter files, but it resides in active memory and duplicates itself, eating up resources and wreaking havoc along the way. The most common use for a worm in the hacking world is the creation of botnets. A classic worm example you will no doubt see on your exam is Conficker. It targeted Windows machines starting in 2008, infecting millions of computers worldwide, making it the largest computer worm infection in history.

A is incorrect because Trojans need human interaction to spread. A Trojan is software that appears to perform a desirable function for the user prior to running or installation but instead performs a function, usually without the user’s knowledge, that steals information or otherwise harms the system (or data). Much like the horse used to fool the people of Troy, Trojan malware is usually hidden inside something that appears totally harmless or even beneficial.

B is incorrect because viruses do not spread without user intervention. By definition, viruses are attached to other files and are activated when those files are executed. Viruses are spread when users copy infected files from one machine to another.

D is incorrect because viruses need human interaction to spread. A polymorphic piece of malware (a type of virus) still requires interaction; it just morphs its code along the way.

A. ICMP flood

B. Ping of death

C. SYN flood

D. Smurf

E. Fraggle

D. A smurf attack is a generic denial-of-service (DoS) attack against a target machine. The idea is simple: have so many ICMP requests going to the target that all its resources are taken up. To accomplish this, the attacker spoofs the target’s IP address and then sends thousands of ping requests from that spoofed IP to the subnet’s broadcast address. This, in effect, pings every machine on the subnet. Assuming they’re configured to do so, every machine will respond to the request, effectively crushing the target’s network resources.

A is incorrect because an ICMP flood does not act this way. In this attack, the hacker sends ICMP Echo packets to the target with a spoofed (fake) source address. The target continues to respond to an address that doesn’t exist and eventually reaches a limit of packets per second sent.

B is incorrect because a ping of death does not act this way. It’s not a valid attack with modern systems because of preventative measures in the OS; in the ping of death, an attacker fragments an ICMP message to send to a target. When the fragments are reassembled, the resulting ICMP packet is larger than the maximum size and crashes the system. As an aside, each OS has its own method of dealing with network protocols, and the implementation of dealing with particular protocols opens up things like this.

C is incorrect because a SYN flood takes place when an attacker sends multiple SYN packets to a target without providing an acknowledgment to the returned SYN/ACK. This is another attack that does not necessarily work on modern systems.

E is incorrect because in a fraggle attack, UDP packets are used. The same principle applies—spoofed IP and Echo requests sent to the broadcast address—it’s just with UDP.

8. Tripwire is one of the most popular tools to protect against malware. Which of the following statements best describes Tripwire?

A. Tripwire is a signature-based antivirus tool.

B. Tripwire is a vulnerability assessment tool used for port scanning.

C. Tripwire is a file integrity program.

D. Tripwire is a session-splicing tool.

C. Although it has grown substantially from its early days as nothing more than a file integrity checker, Tripwire is a well-respected integrity verifier that can act as a host-based intrusion detection system (HIDS) in protection against Trojans. Simply put, Tripwire runs a file integrity check against critical files on your system. If they change—because of malware or any other circumstance—Tripwire can alert you and prevent the Trojan from being activated.

A and B are incorrect because these are not functions Tripwire performs. Per the Tripwire website (www.tripwire.com), “Tripwire offerings solve the security configuration management, continuous monitoring, and incident detection problems facing organizations of all sizes, as stand-alone solutions or in concert with other IT security controls.” Antivirus and vulnerability assessment are not functions this particular tool is designed for.

D is incorrect because session splicing is an IDS evasion technique, not a function of Tripwire—not to mention session splicing does absolutely nothing to prevent Trojans.

9. Which of the following tools are good choices for session hijack attempts? (Choose all that apply.)

A. Ettercap

B. Netcat

C. Hunt

D. Nessus

A and C. Both Ettercap and Hunt are good tools for session hijacking. Ettercap is an excellent man-in-the-middle tool and can be run from a variety of platforms (although it is Linux native). Per the Ettercap home page (http://ettercap.sourceforge.net/), “Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.” Hunt is probably one of the best-known session-hijacking tools. Hunt can sniff, hijack, and reset connections at will.

B is incorrect because Netcat is not a session hijack application. It is valuable for setting up listening ports and executing commands on target machines, but it’s not designed for session hijacking.

D is incorrect because Nessus is a vulnerability assessment tool.

10. In regard to Trojans, which of the following best describes a wrapper?

A. The legitimate file the Trojan is attached to

B. A program used to bind the Trojan to a legitimate file

C. Encryption methods used for a Trojan

D. Polymorphic code used to avoid detection by antivirus programs

B. Wrappers are programs that allow you to bind an executable of your choice (Trojan) to an innocent file your target won’t mind opening. For example, you might use a program such as EliteWrap to embed a backdoor application with a game file (.exe). A user on your target machine then opens the latest game file (maybe to play a hand of cards against the computer or to fling a bird at pyramids built by pigs) while your backdoor is installing and sits there waiting for your use later. As an aside, many wrappers themselves are considered malicious and will show up on any up-to-date virus signature list.

A, C, and D are all incorrect definitions of a wrapper in regard to Trojans. The wrapper is used to bind the Trojan to the legitimate file and has nothing to do with encryption of the Trojan itself. Polymorphic code deals with a type of virus that changes its code to avoid detection by signature-based antivirus programs.

11. Which of the following are true regarding BugBear and Pretty Park? (Choose three.)

A. Both programs make use of e-mail.

B. Pretty Park propagates via network shares and e-mail.

C. BugBear propagates via network shares and e-mail.

D. Pretty Park uses an IRC server to send your personal passwords.

E. Pretty Park terminates antivirus applications

A, C, and D. Believe it or not, you will be asked some rather inane questions regarding specific viruses, worms, and Trojans. While most of the time it’ll be silly things like “Which port number is used by ______?” occasionally you’ll see one like this. There’s no rhyme or reason—it’s just the way it is. In this case, both BugBear and Pretty Park use e-mail, but only BugBear can propagate through network shares. BugBear actually tries killing any resident antivirus programs, and Pretty Park uses IRC for all sorts of information-stealing activities.

B and E are incorrect because these are not true statements. Pretty Park cannot use network shares and does not terminate antivirus programs.

12. Which of the following is a legitimate communication path for the transfer of data?

A. Overt

B. Covert

C. Authentic

D. Imitation

E. Actual

A. This is another one of those easy, pure-definition questions you simply can’t miss on your exam. Whether the channel is inside a computer, between systems, or across the Internet, any legitimate channel used for communications and data exchange is known as an overt channel. And don’t let the inherit risk with any channel itself make the decision for you—even if the channel itself is a risky endeavor, if it is being used for its intended purpose, it’s still overt. For example, an IRC or a gaming link is still an overt channel, so long as the applications making use of it are legitimate. Overt channels are legitimate communication channels used by programs across a system or a network, whereas covert channels are used to transport data in ways they were not intended for.

B is incorrect because an overt channel, per EC-Council’s own definition, is “a channel that transfers information within a computer system or network in a way that violates security policy.” For example, a Trojan might create a channel for stealing passwords or downloading sensitive data from the machine.

C, D, and E are incorrect because none of these is a term for the communications channel; they are included here as distractors.

13. In what layer of the OSI reference model is session hijacking carried out?

A. Data link layer

B. Transport layer

C. Network layer

D. Physical layer

B. Think about a session hijack, and this makes sense. Authentication has already occurred, so we know both computers have already found each other. Therefore, the physical, data link, and network layers have already been eclipsed. And what is being altered and played with in these hijacking attempts? Why, the sequence numbers, of course, and sequencing occurs at the transport layer. Now, for all you real-world guys out there screaming that communications can be, and truly are, hijacked at every level, let me caution your outrage with something I’ve said repeatedly throughout this book: Sometimes the exam and reality are two different things, and if you want to pass the test, you’ll need to memorize it the way EC-Council wants you to. Session hijacking is taught in CEH circles as a measure of guessing sequence numbers, and that’s a transport layer entity. In the real world, your physical layer interception of a target would result in access to everything above, but on the exam just stick with “session hijacking = transport layer.”

A, C, and D are incorrect because these layers are not where a session hijack attack is carried out.

14. A pen test team member types the following command:

Which of the following is true regarding this attempt?

A. The attacker is attempting to connect to an established listening port on a remote computer.

B. The attacker is establishing a listening port on his machine for later use.

C. The attacker is attempting a DoS against a remote computer.

D. The attacker is attempting to kill a service on a remote machine.

A. As covered earlier, Netcat is a wonderful tool that allows all sorts of remote access wizardry on a machine, and you’ll need to be able to recognize the basics of the syntax. In the command example, Netcat is being told, “Please attempt a connection to the machine with the IP address of 222.15.66.78 on port 8765. I believe you’ll find the port in a listening state, waiting for our arrival.” Obviously at some point previous to issuing this command on his local machine, the pen tester planted the Netcat Trojan on the remote system (222.15.66.78) and set it up in a listening state. He may have set it up with a command-shell access (allowing a telnet-like connection to issue commands at will) using the following command:

B is incorrect because this command is issued on the client side of the setup, not the server side. At some point previously, the port was set to a listening state, and this Netcat command will access it.

C is incorrect because this command is not attempting a denial of service against the target machine. It’s included here as a distractor.

D is incorrect because this command is not attempting to kill a process or service on the remote machine. It’s included here as a distractor.

15. Examine the partial command-line output listed here:

Which of the following is a true statement regarding the output?

A. This is output from a netstat –an command.

B. This is output from a netstat –b command.

C. This is output from a netstat –e command.

D. This is output from a netstat –r command.

A. You’ll need to get to know Netstat before your exam. It’s not a huge thing, and you won’t get bogged down in minutiae, but you do need to know the basics. Netstat is a great command-line tool built into every Microsoft operating system. From Microsoft’s own description, Netstat “displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols).” It’s a great, easy way to see which ports you have open on your system, helping you to identify any naughty Trojans that may be hanging around. A netstat –an command will show all connections and listening ports in numerical form.

B is incorrect because the –b option displays the executable involved in creating each connection or listening port. Its output appears something like this:

C is incorrect because the –e flag displays Ethernet statistics for the system. The output appears something like this:

D is incorrect because the –r flag displays the route table for the system. A sampling of the output looks like this:

A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServicesOnce

B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices

C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce

D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run

A, B, C, and D. Creating malware and infecting a machine with it is accomplishing only the basics. Getting it to hang around by having it restart when the user reboots the machine? Now we’re talking. The Run, RunOnce, RunServices, and RunServicesOnce registry keys within the HKEY_LOCAL_MACHINE hive are great places to stick all sorts of executables. Because of this, it’s helpful to run registry monitoring on occasion to check for anything suspicious. Sys Analyzer, Regshot, and TinyWatcher are all options for this.

17. Which of the following best describes a covert channel?

A. An application using a port number that is not well-known

B. Using a protocol in a way it is not intended to be used

C. Multiplexing a communication link

D. WEP encryption channels

B. Yes, this is almost the same question we asked earlier. This means, for those of you paying attention, it’s probably important for you to know. A covert channel is, basically, a channel or protocol being used in a manner in which it was never intended to be used. This could be a communication channel exploited by a process to transfer information that violates the system’s security policy or making use of a protocol in a way it was not intended to be used. Stuck behind a firewall, but you’re using HTTP tunneling to communicate out? Welcome to covert channels.

A, C, and D are all incorrect definitions of a covert channel and are included as distractors.

18. Which denial-of-service attack involves sending SYN packets to a target machine but never responding to any of the SYN/ACK replies?

A. SYN flood

B. SYN attack

C. Smurf

D. LOIC

A. I know some of you are probably wondering whether I’m describing a half-open scan here, and certainly the description meets the criteria: Send a SYN packet and, based on the response, map which ports are open and which are closed. However, the volume, duration, and purpose define this as a SYN flood. In a SYN flood attack, the attacker sends thousands of SYN packets to the target but never responds to any of the return SYN/ACK packets. Because there is a certain amount of time the target must wait to receive an answer to the SYN/ACK (network congestion may be slowing things down, in a legitimate example), it will eventually bog down and run out of available connections.

B is incorrect because EC-Council defines a SYN attack and a SYN flood differently. Whereas a SYN flood takes advantage of tons of half-open connections, the SYN attack goes one step further—by spoofing the sending IP address in the first place. The target will attempt to respond with a SYN/ACK but will be unsuccessful because the sending address is false. Eventually, all the machine’s resources are engaged, and the DoS is successful.

C is incorrect because a smurf attack is a DoS attack making use of ICMP packets and broadcast addresses. The idea is simple: Spoof the target’s IP address and send multiple ping requests to the broadcast address of the subnet. The entire subnet will then begin sending ping responses to the target, exhausting the target’s resources and rendering it a giant paperweight.

D is incorrect because Low Orbit Ion Cannon (LOIC) is a simple-to-use DDoS tool that floods a target with TCP, UDP, or HTTP requests. It was originally written open source to attack various Scientology websites but has since had many people voluntarily joining a botnet to support all sorts of attacks. Recently, LOIC was used in a coordinated attack against Sony’s PlayStation network, and the tool has a track record of other successful hits: The Recording Industry Association of America, PayPal, MasterCard, and several other companies have all fallen victim to LOIC.

19. Which of the following takes advantage of weaknesses in the fragment reassembly functionality of TCP/IP?

A. Teardrop

B. SYN flood

C. Smurf attack

D. Ping of death

A. It seemed like every study guide and reference material I picked up for version 7 included references to Conficker, but in version 8 the emphasis seems to have shifted to the teardrop attack. In a teardrop attack, overlapping, mangled packet fragments are sent in an effort to confuse a target system, causing it to reboot or crash. Teardrop attacks exploit an overlapping IP fragment bug present in Windows 95, Windows NT, and Windows 3.1 machines, as well as some early versions of Linux. The attack is really more of an annoyance than anything because a reboot clears it all up; however, anything that was open and altered, sitting unsaved on the device, would be lost.

B is incorrect because a SYN flood attack exhausts connections on a device by flooding it with thousands of open SYN packets, never sending any acknowledgments to the return SYN/ACKs.

C is incorrect because a smurf attack involves spoofing the target’s address and then pinging the broadcast address with it. The resulting responses of thousands of ICMP packets kills the machine.

D is incorrect because the ping of death attack involves sending a ping request with an unusually large payload. The ping would be fragmented and, when put together, would kill the target machine.

20. IPSec is an effective preventative measure against session hijacking. Which IPSec mode encrypts only the data payload?

A. Transport

B. Tunnel

C. Protected

D. Spoofed

A. IPSec is a wonderful encryption mechanism that can rather easily be set up between two endpoints or even across your entire subnet if you configure the hosts appropriately. You won’t need to know all the bells and whistles with IPSec (and thank goodness, because there’s a lot to write about), but you do need the basics. Transport mode does not affect the header of the packet at all and encrypts only the payload. It’s typically used as a secured connection between two endpoints, whereas Tunnel mode creates a VPN-like connection protecting the entire session. Additionally, Transport mode is compatible with conventional Network Address Translation (NAT).

B is incorrect because Tunnel mode encapsulates the entire packet, including the header. This is typically used to form a VPN connection, where the tunnel is used across an untrusted network (such as the Internet). For pretty obvious reasons, it’s not compatible with conventional NAT; when the packet goes through the router (or whatever is performing NAT for you), the source address in the packet changes because of Tunnel mode and, therefore, invalidates the packet for the receiving end. There are workarounds for this, generally lumped together as NAT traversal (NAT-t). Many home routers take advantage of something referred to as IPSec pass-through to allow just this.

C and D are invalid terms involving IPSec.

21. What type of session hijacking attack is shown in Figure 8-1?

A. Cross-site scripting attack

B. Cookie session attack

C. Token evasion attack

D. Session fixation attack

Figure 8-1 Session hijacking example

D. This is another example of something new that popped up in version 8: defining a session hijack type. In a session fixation attack, the hacker sends a link (containing an HTTP GET variable identifying the session) to a target. The link points the user to a vulnerable server and contains a predefined session ID (so the hacker knows it without having to sniff). The victim clicks the link and generates a connection and cookie. The attacker connects to the server using the same session ID (passing variables and data as a GET parameter) and voila. The attacker must provide a legitimate web application session ID and can do so in a URL, hidden form field, or cookie.

A is incorrect because cross-site scripting can be used as part of a session hijack; however, it’s not shown in this illustration.

B and C are incorrect because they are not legitimate attack names and are included solely as distractors.

22. Which of the following best describes the comparison between spoofing and session hijacking?

A. Spoofing and session hijacking are the same thing.

B. Spoofing interrupts a client’s communication, whereas hijacking does not.

C. Hijacking interrupts a client’s communication, whereas spoofing does not.

D. Hijacking emulates a foreign IP address, whereas spoofing refers to MAC addresses.

C. Hijacking and spoofing can sometimes be confused with each other, although they really shouldn’t be. Spoofing refers to a process where the attacking machine pretends to be something it is not. Whether by faking a MAC address or an IP address, the idea is that other systems on the network will communicate with your machine (that is, set up and tear down sessions) as if it’s the target system: Generally this is used to benefit sniffing efforts. Hijacking is a totally different animal. In hijacking, the attacker jumps into an already existing session, knocking the client out of it and fooling the server into continuing the exchange. In many cases, the client will simply reconnect to the server over a different session, with no one the wiser: The server isn’t even aware of what happened, and the client simply connects again in a different session. As an aside, EC-Council describes the session hijack in these steps:

1. Sniff the traffic between the client and the server.

2. Monitor the traffic and predict the sequence numbering.

3. Desynchronize the session with the client.

4. Predict the session token and take over the session.

5. Inject packets to the target server.

A is incorrect because spoofing and hijacking are different. An argument can be made that hijacking makes use of some spoofing, but the two attacks are separate entities: Spoofing pretends to be another machine, eliciting (or setting up) sessions for sniffing purposes, whereas hijacking takes advantage of existing communications sessions.

B is incorrect because spoofing doesn’t interrupt a client’s existing session at all; it’s designed to sniff traffic and/or set up its own sessions.

D is incorrect because spoofing isn’t relegated to MAC addresses only. You can spoof almost anything, from MAC and IP addresses to system names and services.

23. Which of the following is an effective deterrent against session hijacking?

A. Install and use a HIDS on the system.

B. Install and use Tripwire on the system.

C. Enforce good password policy.

D. Use unpredictable sequence numbers.

D. As noted already, session hijacking requires the attacker to guess the proper upcoming sequence number(s) to pull off the attack, pushing the original client out of the session. Using unpredictable session IDs (or, better stated in the real world, using a modern operating system with less predictable sequence numbers) in the first place protects against this. Other countermeasures for session hijacking are fairly common sense: Use encryption to protect the channel, limit incoming connections, minimize remote access, and regenerate the session key after authentication is complete. And, lastly, don’t forget user education: If the users don’t know any better, they might not think twice about clicking past the security certificate warning or reconnecting after being suddenly shut down.

A is incorrect because a host-based intrusion detection system may not deter session hijacking at all.

B is incorrect because Tripwire is a file integrity application and won’t do a thing for session hijacking prevention.

C is incorrect because system passwords have nothing to do with session hijacking.

24. A pen test team member types the following command:

Which of the following are true regarding this command? (Choose all that apply.)

A. Ettercap is being configured for a GUI interface.

B. Ettercap is being configured as a sniffer.

C. Ettercap is being configured for text mode.

D. Ettercap is being configured for manual mode.

E. Ettercap is being configured for a man-in-the-middle attack.

C and E. Ettercap is defined as a “comprehensive suite for man-in-the-middle attacks” by nearly every website devoted to it (do a search for Ettercap, and you’ll see what I mean), and it’s almost universally recognized as one of—if not the—best man-in-the-middle attack suites on the planet. Because of this, you’ll need to know some basics about it (not much but some). Ettercap can run in one of four user interfaces: text only (–T), something called curses (–C), a GUI (known as GTK, and using the –G flag), and daemon mode (–D). In this example, text mode is enabled, the –q flag sets things “quiet,” and the –M flag sets up man-in-the-middle ARP poisoning.

A is incorrect because the –T flag is used to put Ettercap in text mode. –G would put Ettercap in GTK mode.

B is incorrect because Ettercap isn’t being configured as a sniffer here. It’s being set up to perform an MITM attack, not to log packets.

D is incorrect because there is no “manual” mode in Ettercap. This is included as a distractor.

25. Within a TCP packet dump, a packet is noted with the SYN flag set and a sequence number set at A13F. What should the acknowledgment number in the return SYN/ACK packet be?

A. A131

B. A130

C. A140

D. A14F

C. We’ve been over the need for predicting sequence numbers before, so I won’t bore you with it again other than to restate the salient point here: The ISN is incremented by 1 in the SYN/ACK return packet. Because these values were given in hex instead of decimal, all you need to know is what the next hex value after A13F is. You could split it out into binary (each hex digit is four bits, so this would equate to 1010000100111111) and then pick the next available number (1010000101000000) and split it back into hex (1010 = A, 0001 = 1, 0100 = 4, and 0000 = 0). Alternatively, you could convert directly to decimal (41279), add 1, and then convert back to hex. And, yes, you do need to know number conversion from decimal to binary to hex, so stop complaining.

A, B, and D are incorrect hex equivalents for decimal 41280 (the next number acknowledgment for the ISN).

26. When is session hijacking performed?

A. Before the three-step handshake

B. During the three-step handshake

C. After the three-step handshake

D. After a FIN packet

C. This question should be an easy one for you, but it’s included here to reinforce the point that you need to understand session hijacking steps well for the exam. Of course, session hijacking should occur after the three-step handshake. As a matter of fact, you’ll probably need to wait quite a bit after the three-step handshake so that everything on the session can be set up—authentication and all that nonsense should be taken care of before you jump in and take over.

A and B are incorrect because session hijacking occurs after a session is already established, and the three-step handshake must obviously occur first for this to be true.

D is incorrect because the FIN packet brings an orderly close to the TCP session. Why on Earth would you wait until it’s over to start trying to hijack it?