During the intelligence gathering phase of a penetration test, you come across a press release by
a security products vendor stating that they have signed a multi-million dollar agreement with the
company you are targeting. The contract was for vulnerability assessment tools and network
based IDS systems. While researching on that particular brand of IDS you notice that its default
installation allows it to perform sniffing and attack analysis on one NIC and caters to its
management and reporting on another NIC. The sniffing interface is completely unbound from the
TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing
interfaces?

Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a
detection engine and rely on the pattern matching and/or statistical analysis to determine what is
malicious. Packets are not processed by the host’s TCP/IP stack allowing the NIDS to analyze
traffic the host would otherwise discard. Which of the following tools allows an attacker to
intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly
assembled by the host TCP/IP stack to render the attack payload?

Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have
complained to Neil that there are a few employees who are visiting offensive web site during work
hours, without any consideration for others. Neil knows that he has an up-to-date content filtering
system and such access should not be authorized. What type of technique might be used by these
offenders to access the Internet without restriction?

Eric notices repeated probes to port 1080. He learns that the protocol being used is designed to
allow a host outside of a firewall to connect transparently and securely through the firewall. He
wonders if his firewall has been breached. What would be your inference?

Basically, there are two approaches to network intrusion detection: signature detection, and
anomaly detection. The signature detection approach utilizes well-known signatures for network
traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previous
history of network traffic to search for patterns that are abnormal, which would indicate an
intrusion. How can an attacker disguise his buffer overflow attack signature such that there is a
greater probability of his attack going undetected by the IDS?

John has a proxy server on his network which caches and filters web access. He shuts down all
unnecessary ports and services. Additionally, he has installed a firewall (Cisco PIX) that will not
allow users to connect to any outbound ports. Jack, a network user has successfully connected to
a remote server on port 80 using netcat. He could in turn drop a shell from the remote machine.
Assuming an attacker wants to penetrate John’s network, which of the following options is he likely
to choose?

A program that defends against a port scanner will attempt to:

Exhibit:

Given the following extract from the snort log on a honeypot, what do you infer from the attack?

Exhibit:
Given the following extract from the snort log on a honeypot, what service is being exploited? :

There are two types of honeypots- high and low interaction. Which of these describes a low
interaction honeypot? Select the best answers.