- (Topic 15)
Derek has stumbled upon a wireless network and wants to assess its security. However, he does not find enough traffic for a good capture. He intends to use AirSnort on the captured traffic to crack the WEP key and does not know the IP address range or the AP. How can he generate traffic on the network so that he can capture enough packets to crack the WEP key?

1. A. Use any ARP requests found in the capture
2. B. Derek can use a session replay on the packets captured
3. C. Derek can use KisMAC as it needs two USB devices to generate traffic
4. D. Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic

Correct Answer: D
By forcing the network to answer to a lot of ICMP messages you can gather enough packets to crack the WEP key.

- (Topic 3)
While performing a ping sweep of a subnet you receive an ICMP reply of Code 3/Type 13 for all the pings sent out.
What is the most likely cause behind this response?

1. A. The firewall is dropping the packets.
2. B. An in-line IDS is dropping the packets.
3. C. A router is blocking ICMP.
4. D. The host does not respond to ICMP packets.

Correct Answer: C
Type 3 message = Destination Unreachable [RFC792], Code 13 (cause) = Communication Administratively Prohibited [RFC1812]

- (Topic 5)
How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction? A characteristic of this attack would be a continuous stream of small packets.

1. A. Session Splicing
2. B. Session Stealing
3. C. Session Hijacking
4. D. Session Fragmentation

Correct Answer: A

- (Topic 3)
Doug is conducting a port scan of a target network. He knows that his client target network has a web server and that there is a mail server also which is up and running. Doug has been sweeping the network but has not been able to elicit any response from the remote target. Which of the following could be the most likely cause behind this lack of response? Select 4.

1. A. UDP is filtered by a gateway
2. B. The packet TTL value is too low and cannot reach the target
3. C. The host might be down
4. D. The destination network might be down
5. E. The TCP windows size does not match
6. F. ICMP is filtered by a gateway

Correct Answer: ABCF
If the destination host or the destination network is down there is no way to get an answer and if TTL (Time To Live) is set too low the UDP packets will “die” before reaching the host because of too many hops between the scanning computer and the target. The TCP receive window size is the amount of received data (in bytes) that can be buffered during a connection. The sending host can send only that amount of data before it must wait for an acknowledgment and window update from the receiving host and ICMP is mainly used for echo requests and not in port scans.

- (Topic 23)
Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this?

1. A. RST flag scanning
2. B. FIN flag scanning
3. C. SYN flag scanning
4. D. ACK flag scanning

Correct Answer: D