Q291. Take a look at the following attack on a Web Server using obstructed URL: 

http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f %70%61%73%73%77%64 

The request is made up of: 

-%2e%2e%2f%2e%2e%2f%2e%2f% = ../../../ 

-%65%74%63 = etc 

-%2f = / 

-%70%61%73%73%77%64 = passwd 

How would you protect information systems from these attacks? 

A. Configure Web Server to deny requests involving Unicode characters. 

B. Create rules in IDS to alert on strange Unicode requests. 

C. Use SSL authentication on Web Servers. 

D. Enable Active Scripts Detection at the firewall and routers. 

Answer: B

Explanation: This is a typical Unicode attack. By configuring your IDS to trigger on strange Unicode requests you can protect your web-server from this type of attacks. 


Q292. Exhibit: 

Study the following log extract and identify the attack. 

A. Hexcode Attack 

B. Cross Site Scripting 

C. Multiple Domain Traversal Attack 

D. Unicode Directory Traversal Attack 

Answer: D

Explanation: The “Get /msadc/……/……/……/winnt/system32/cmd.exe?” shows that a Unicode Directory Traversal Attack has been performed. 


Q293. Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit, or stored? (Choose the best answer) 

A. symmetric algorithms 

B. asymmetric algorithms 

C. hashing algorithms 

D. integrity algorithms 

Answer:

Explanation: In cryptography, a cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity. A hash function takes a long string (or 'message') of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint. 


Q294. Study the log below and identify the scan type. 

tcpdump -vv host 192.168.1.10 

17:34:45.802163 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 36166) 

17:34:45.802216 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 33796) 

17:34:45.802266 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 47066) 

17:34:46.111982 eth0 < 192.168.1.1 > victim: ip-proto-74 0 (ttl 48, id 35585) 

17:34:46.112039 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 32834) 

17:34:46.112092 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 26292) 

17:34:46.112143 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 51058) 

tcpdump -vv -x host 192.168.1.10 

17:35:06.731739 eth0 < 192.168.1.10 > victim: ip-proto-130 0 (ttl 59, id 42060) 4500 0014 a44c 0000 3b82 57b8 c0a8 010a c0a8 0109 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 

A. nmap -sR 192.168.1.10 

B. nmap -sS 192.168.1.10 

C. nmap -sV 192.168.1.10 

D. nmap -sO -T 192.168.1.10 

Answer: D


Q295. ou are footprinting Acme.com to gather competitive intelligence. You visit the acme.com websire for contact information and telephone number numbers but do not find it listed there. You know that they had the entire staff directory listed on their website 12 months ago but now it is not there. How would it be possible for you to retrieve information from the website that is outdated? 

A. Visit google search engine and view the cached copy. 

B. Visit Archive.org site to retrieve the Internet archive of the acme website. 

C. Crawl the entire website and store them into your computer. 

D. Visit the company’s partners and customers website for this information. 

Answer: B

Explanation: The Internet Archive (IA) is a non-profit organization dedicated to maintaining an archive of Web and multimedia resources. Located at the Presidio in San Francisco, California, this archive includes "snapshots of the World Wide Web" (archived copies of pages, taken at various points in time), software, movies, books, and audio recordings (including recordings of live concerts from bands that allow it). This site is found at www.archive.org. 


Q296. LAN Manager passwords are concatenated to 14 bytes and split in half. The two halves are hashed individually. If the password is 7 characters or less, than the second half of the hash is always: 

A. 0xAAD3B435B51404EE 

B. 0xAAD3B435B51404AA 

C. 0xAAD3B435B51404BB 

D. 0xAAD3B435B51404CC 

Answer: A

Explanation: A problem with LM stems from the total lack of salting or cipher block chaining in the hashing process. To hash a password the first 7 bytes of it are transformed into an 8 byte odd parity DES key. This key is used to encrypt the 8 byte string "KGS!@". Same thing happens with the second part of the password. This lack of salting creates two interesting consequences. Obviously this means the password is always stored in the same way, and just begs for a typical lookup table attack. The other consequence is that it is easy to tell if a password is bigger than 7 bytes in size. If not, the last 7 bytes will all be null and will result in a constant DES hash of 0xAAD3B435B51404EE. 


Q297. What hacking attack is challenge/response authentication used to prevent? 

A. Replay attacks 

B. Scanning attacks 

C. Session hijacking attacks 

D. Password cracking attacks 

Answer: A

Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it. With a challenge/response authentication you ensure that captured packets can’t be retransmitted without a new authentication. 


Q298. Which of the following attacks takes best advantage of an existing authenticated connection 

A. Spoofing 

B. Session Hijacking 

C. Password Sniffing 

D. Password Guessing 

Answer: B

Explanation: Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress. 


Q299. John runs a Web Server, IDS and firewall on his network. Recently his Web Server has been under constant hacking attacks. He looks up the IDS log files and sees no Intrusion attempts but the web server constantly locks up and needs rebooting due to various brute force and buffer overflow attacks but still the IDS alerts no intrusion whatsoever. 

John become suspicious and views he firewall logs and he notices huge SSL connections constantly hitting web server. 

Hackers have been using the encrypted HTTPS protocol to send exploits to the web server and that was the reason the IDS did not detect the intrusions. 

How would Jon protect his network form these types of attacks? 

A. Install a proxy server and terminate SSL at the proxy 

B. Install a hardware SSL “accelerator” and terminate SSL at this layer 

C. Enable the IDS to filter encrypted HTTPS traffic 

D. Enable the firewall to filter encrypted HTTPS traffic 

Answer: AB

Explanation: By terminating the SSL connection at a proxy or a SSL accelerator and then use clear text the distance between the proxy/accelerator and the server, you make it possible for the IDS to scan the traffic. 

Topic 20, Buffer Overflows 


Q300. One of the effective DoS/DDoS countermeasures is 'Throttling'. Which statement correctly defines this term? 

A. Set up routers that access a server with logic to adjust incoming traffic to levels that will be safe for the server to process 

B. Providers can increase the bandwidth on critical connections to prevent them from going down in the event of an attack 

C. Replicating servers that can provide additional failsafe protection 

D. Load balance each server in a multiple-server architecture 

Answer: A