EH-Net

Hi All! Much thanks to Don and Blackazzaro for your help..

I have some questions that i hope you can help me with and which i hope will be able to help others.. Was supposed to write my CEH exam on 16/07/07 but due to technical difficulties experienced by the testing centre i have been left in limbo.. but i am not complaining as it gives me more time to study..

1.) Is it possible to block/prevent attackers from running any sort of traceroute into your DMZ?

2.) Using a 802.11b wireless nic on your laptop with Netstumbler installed, you would like to scan an 802.11g network? Why is this not possible?

3) You are doing IP spoofing while you scan your target. You find that the target has port 23 open. Anyway you are unable to connect. Why?

4) I notice repeated probes to port 1080. I learn that the protocol being used is designed to allow the host outside of a firewall to connect transparently and securely through the firewall.what would be your inference of what is happening/happened? Could someone be using SOCKS on the network to communicate through the firewall?

Your help is most appreciatted and i hope that i can to oneday give back..

Block ICMP.


Not sure of the technical reason, but bottom line is that they aren't compatible. G cards can usually pick up B, I'm not aware of any G cards that can't, but B cards can't operate on a G frequency so that's probably why they can't even see the traffic.


Depends on what is running on port 23. It doesn't necessarily have to be telnet (if that's what you're referring to), and there could also be further restrictions imposed. And also, if you're spoofing your IP, perhaps you just happen to be spoofing one that is allowed to connect, but once you try a full connect from your IP, it doesn't work.


Perhaps run a sniffer to see what sort of traffic is passing through. If this is your firewall, block the port.

Hope that helps somewhat...

Could be that 802.11g is faster than 802.11b? B and G work on different frequencies. 802.11N, when it is finally released, is supposed to be faster than   B AND G, and is also supposed to be able to facilitate (wow, big word) long-range Wi-Fi.

Hope it helps!

Actually, regarding question number 2:


The 802.11b and 802.11g standard are generally compatible. It all depends on the setup of the network. For instance, the same encryption must be use on all device in a wifi network. Usually 802.11g devices support more advance encryption options than 802.11b standard. Therefore if your 802.11b wireless nic card does not support the encryption option that the 802.11g network is using then you won't be able to scan this network.

At home I have a 802.11g network setup with my laptop that is using a 802.11b nic . And since my wifi network is properly set, all works fine.


Oyle, 802.11b and 802.11g operate on the same frequency (2.4-2.5 GHz) and that's why they are compatible and yes 802.11g ( 54 Mbit/s) is much faster than 802.11b (11 Mbit/s), however, this is not the reason why a 802.11b wifi nic on a laptop can't scan a 802.11g network.

D'oh! Haha.. yeah, B and G are same, A is the higher one. Read through the questions too fast.. whoops :)

If your router doesn't ever respond with ICMP messages of any type, this effectively breaks traceroute in all its flavors iirc.    I believe you may also encounter the distinction in traceroute implementations where Cisco and Linux use UDP packets for the probe while Windows use ICMP echo requests.   The "sensing" mechanism on all OS's I believe relies on ICMP replies.


http://www.cisco.com/warp/public/105/traceroute.shtml



b and g use the same frequency, however b is the older slower standard, g the newer.  g is by standard backward compatible with b, but b hardware can't grok g traffic.    If you want to get very technical about it, the difference between the two is the modulation scheme.  CCK is the scheme used by b,  OFDM is used by g, but by standard, g hardware can deal with
CCK.

http://en.wikipedia.org/wiki/802.11#802.11b

But nothing I recall of the CEH exam got anywhere near that technical regarding modulation.


Just think about this for bit.  If you spoof your IP address in your scan, where will the target send the reply packets?   


Have a look at /etc/services on a linux box.  Or the IANA list of common ports  http://www.iana.org/assignments/port-numbers

I'm not sure I'd come to the conclusion someone is communicating through my fw with SOCKS just because of some probes, but I might conclude that the probes are perhaps hunting for a listening SOCKS server.

I can remember when I was studying for CEH that one of the CEH documents said that Netstumbler doesnt support 11g. It was probably talking about a earlier version of Netstumbler .

So could this question be a practice test question coming form this era ?

Hi All! I have decided to give you the questions with the multiple choices..

1)Eric notices probes to port 1080. He learns that the protocol being used is designed to allow a host outside of a firewall to connect transparently and securely through a firewall. He wonders if his firewall has been breached. What would be your inference?

A. Eric's network has been penetrated by a firewall breach?
B. The attcker is using ICMP protocol to have a covert channel
C. Eric has a wingate package providing FTP redirection on his network
D. Somebody is using SOCKS on the network to communicate through the Firewall

2) You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discover the internal structure of publicly accessible areas of the network. How can you achieve this?

A. Block ICMP at the firewall
B. Block UDP at the firewall
C. Both A and B
D. There is no way to completely block doing a traceroute into this area.

3) What do you conclude from the nmap results below?
starting nmap V. 3. 10ALPHA0 (www.insecyre.org/nmap)
(The 1592 ports scanned but not shown below are in stae: closed)
Port state Service
21/tcp open ftp
25/tcp open smtp
90/tcp open http
443/tcp open https
Remote operating system guess: Too many signatures match the reliability to guess the OS. Nmap run completed - 1 IP address (1 host up) scanned in 91.66 seconds.

A. The system is a windows domain controller
B. The system is not firewalled
C. The system is not running linus or solaris
D. The system is not properly patched

4) You are doing IP spoofing while you scan your target. You find that the target has port 23 open. Abyway you are unable to connect. Why?

A. A firewall is blocking port 23
B You cannot spoof + TCP
C. You need an automated telnet tool
D. The OS does not reply to telnet if port 23 is open.

The answers given to me as correct.. i have highlighted with a glow or made bold.. Your assistance is most appreciatted and from the replies i have received very educational.. I would like to say Thank you so much to the creators of this website.

Agree with ChrisG.

Practice tests are a good guide to focus on exam test areas, but U need to read/research further and find answers. That way u will gain lot of knowledge and pass the exam too

Never solely depend on the answers given by them.

Hi All! Thanks for all the help.. Thanks Skel, for your advice.. But i have been doing research and i am not relying on the questions alone. However,i have in some cases been left confused, hence my asking for your help with these questions. You are all good at what you do and i am no expert yet  ;).. I am a student and you all are my teachers.

Thanks for all your help once again.. I am hoping to write the exam this week and will let you know how it went..