Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-to- date content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction?

SSL has been seen as the solution to several common security problems. Administrators will often make use of SSL to encrypt communication from point A to point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between point A and B?

During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi-million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces?

You have performed the traceroute below and notice that hops 19 and 20 both show the same IP address.

What can be inferred from this output?

1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms

2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416 ms

3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms ip68-100-0-1.nv.nv.cox.net

(68.100.0.1) 16.743 ms 16.207 ms

4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 12.933 ms 20.938 ms

5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms

6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms 14.104 ms

7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms

8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms 19.512 ms

9 so-7-0-0-gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms 17.938 ms

10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317 ms 21.202 ms

11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms 19.133 ms 18.830 ms

12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms 20.11 ms

13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms 23.108 ms

14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 38.894 ms 33.244 33.910 ms

15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms 49.466 ms

16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms 51.055 ms

17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms 53.647 ms

18 example-gwl.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms 56.855 ms

19 www.ABC.com (65.195.239.22) 52.191 ms 52.571 ms 56.855 ms

20 www.ABC.com (65.195.239.22) 53.561 ms 54.121 ms 58.333 ms

What is the tool Firewalk used for?

What is a primary advantage a hacker gains by using encryption or programs such as Loki?

Which of the following are potential attacks on cryptography? (Select 3)

ETHER: Destination address : 0000BA5EBA11 ETHER: Source address :

00A0C9B05EBD ETHER: Frame Length : 1514 (0x05EA) ETHER: Ethernet Type :

0x0800 (IP) IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP:

Service Type = 0 (0x0) IP: Precedence = Routine IP: …0…. = Normal

Delay IP: ….0… = Normal Throughput IP: …..0.. = Normal

Reliability IP: Total Length = 1500 (0x5DC) IP: Identification = 7652

(0x1DE4) IP: Flags Summary = 2 (0x2) IP: …….0 = Last fragment in

datagram IP: ……1. = Cannot fragment datagram IP: Fragment Offset = (0x0) bytes IP: Time to Live = 127 (0x7F) IP: Protocol = TCP –

Transmission Control IP: Checksum = 0xC26D IP: Source Address =

10.0.0.2 IP:

Destination Address = 10.0.1.201 TCP: Source Port = Hypertext Transfer

Protocol TCP: Destination Port = 0x1A0B TCP: Sequence Number =

97517760 (0x5D000C0) TCP: Acknowledgement Number = 78544373 (0x4AE7DF5)

TCP:

Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags =

0x10 : .A…. TCP: ..0….. = No urgent data TCP: …1…. =

Acknowledgement field significant TCP: ….0… = No Push function TCP:

…..0.. = No Reset TCP: ……0. = No Synchronize TCP: …….0 = No

Fin TCP: Window = 28793 (0x7079) TCP: Checksum = 0x8F27 TCP: Urgent

Pointer = 0 (0x0)

An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application?

You have discovered that an employee has attached a modem to his telephone line and workstation. He has used this modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. What can you do to solve this problem?

To scan a host downstream from a security gateway, Firewalking: