The Ethical Hacker Network

LegioX

Newbie

Offline

Posts: 25

Exam question

« on: September 26, 2006, 02:53:52 PM »

Hi,

I have a question about one of the questions I've come across while studying for the CEH exam.
It goes as follows:

Employee wants to defeat detection by a N-IDS. He does not want to attack the system containing the IDS. Which of the following strategies can be employed to defeta detection?
A Create a network tunnel
B Create Multiple False Positives
C Create a SYN flood
D Create a ping flood

The answer listed is D, but I would have thought A was the best answer. This is because D would alert the IDS and not avoid detection.
Any thoughts?


	Logged

MCSE & MCSA : Security (2003), A+, Network+, Security+, CEH, CCNA, JNCIA-FMW

Kev

Guest

Re: Exam question

« Reply #1 on: September 26, 2006, 03:38:01 PM »

Both A and D could work in certain circumstances, but I am sure they mean D. The theory of the ping flood is you can confuse the IDS by over loading it wth packet data, that way you dont stand out. Not very stealth in one sense. but it can work for a quick in and out attack. On the other hand depending on what you define as a "network tunnel" you could make a tunnel and make sure your data flow is encrypted, while you wont hide that you are there, you might hide what you are doing.


« Last Edit: September 26, 2006, 03:44:06 PM by Kev »	Logged

Manu Zacharia (-M-)

Sr. Member

Offline

Posts: 393

c0c0n Hacking Conference - where hackers unite

Re: Exam question

« Reply #2 on: September 26, 2006, 10:03:57 PM »

Hi All,

I have some comments to make on the above post(s). Firstly lets take the definition for a ping flood

Quote

Ping Flood attacks attempt to saturate a network by sending a continuous series of ICMP echo requests (pings) over a high-bandwidth connection to a target host on a lower-bandwidth connection to cause it to send back an ICMP echo reply for each request. Ping Flood attacks can slow down a network or even disable network connectivity.

Also a ping flood is considered as a DoS attack. Now if you look at the question, it clearly says that the Employee does not want to attack the system containing the IDS. If the employee initiates a ping flood on the IDS, it is a clear case of an attack on the IDS. Hence, in my opinion, Option D is not the correct answer.

Please comment on this post or correct me if I am wrong.

Regards,

Morpheus


	Logged

Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n

Kev

Guest

Re: Exam question

« Reply #3 on: September 26, 2006, 10:41:55 PM »

I think the problem with the question is the wording. What do they mean by “attack” because some Admins would even consider an active sniffing and port probing the beginning of an attack. If he doesnt want to attack it, then what are they talking about? Send happy little emails to it? Perhaps its a typo and they meant he doesnt want his attack to be seen as an attack? Also,I think they should have written “Send a flood of fragments” instead of Ping flood, which limits it to ICMP packets.

Flooding an IDS with fragments is a well known method of attempting to evade the IDS. The idea is to try and tie up all the memory capacity of the IDS by sending in so many fragments that the system becomes saturated. Once saturated the IDs might not detect your next move because it can’t gather the packets with its packet queue filled.

Any way, I would not attempt to do it that way; I have better success with FragRoute. Its better to try and craft your packets in such a way that the IDS doesn’t understand them.

All in all, this seems like another example of a poorly written test question for the CEH examine by some vender selling prep tests.


« Last Edit: September 26, 2006, 10:50:16 PM by Kev »	Logged

skel

Jr. Member

Offline

Posts: 60

"Beam me up Scotty - Only hackers here"

Re: Exam question

« Reply #4 on: September 26, 2006, 11:43:51 PM »

There are a lot of CEH questions which does not give proper information to select the answer. I do not think this is a poorly written question by prep vendor but actually this is how CEH present the question. There are more absured questions than this in CEH

Quote

He does not want to attack the system containing the IDS

It looks as the author is trying to say that the IDS should not be trigger any unusual activity. If u consider thhis meaning, a ping flood is out. Since B, C and D would trigger the IDS in someway, I would vote for 'A' as the answer.

When u dont have clear cut answer to a question the next best thing would be to eleminate the obvious wrong answers. If you work upwards from here, you will be left with the most possible answer. This is a general advise for any MCQ question.


	Logged

Skel

LegioX

Newbie

Offline

Posts: 25

Re: Exam question

« Reply #5 on: September 27, 2006, 03:11:11 AM »

Thanks for the prompt reply everybody. And I am certainly glad that I wasn't the only one confused by this question!

I guess when I read the question I did make a few presumptions. Namely, that the 'ping flood' would be considered an attack, and secondly that the 'network tunnel' would be somehow encrypted and therefore avoid detection by the N-IDS.

That seems to be the general consensus. So most people here would go for 'D' then?


	Logged

MCSE & MCSA : Security (2003), A+, Network+, Security+, CEH, CCNA, JNCIA-FMW

Kev

Guest

Re: Exam question

« Reply #6 on: September 27, 2006, 11:19:22 AM »

Strictly speaking creating a network tunnel would not work to evade IDS. If by “network tunnel” they mean something like an encrypted VPN connection then the answer would be yes.

A ping flood doesn’t necessarily mean a DOS attack in the sense of trying to do a denial of service. The way this hack would be done is to run the flood from a high jacked computer and run a command from their command prompt like C:\ ping –t –l 65000 “IP address”, although you might want to use a smaller packet than 65000, but I have found that from a single computer this will not crash most servers. We are just trying to gently overload the IDS, not crash anything.

Then once we feel the IDS queue has been flooded from another box we can begin whatever scans, etc we might like and not be seen by the saturated IDS. So in my opinion either A or D is correct if you expand on the meaning and both are incorrect if you simply take them on their face meaning. I would rather try and answer questions like this based on my real world experience and not from an arm chair hacking debate on semantics. I am curious as to where you saw this question. Was it on prep test?


« Last Edit: September 27, 2006, 11:35:43 AM by Kev »	Logged

LSOChris

Guest

Re: Exam question

« Reply #7 on: September 27, 2006, 10:39:02 PM »

its on the cheat exam...

why not B? if you can slip your attack in with a bunch of false positives dont you have a chance of the attack being overlooked?

i dont believe creating false positives would be considered attacking the box...but as you can tell by the thread its open to debate ;-)


	Logged

LegioX

Newbie

Offline

Posts: 25

Re: Exam question

« Reply #8 on: September 28, 2006, 03:23:07 AM »

He's right - it shows up on both the TestKing and a VCE that I'm using for revision (felt the need to point that out pre-emptively!).

In saying that though I've come across questions just as ambiguous in both the Preplogic and Boson practice tests...


	Logged

MCSE & MCSA : Security (2003), A+, Network+, Security+, CEH, CCNA, JNCIA-FMW

Kev

Guest

Re: Exam question

« Reply #9 on: September 28, 2006, 11:24:39 AM »

Wow, you are studying all of those exam preps? I admire your effort. I will say I am not a big fan of preps like those. I think they might have some value if you use it as a guide to test your general knowledge, but from what I hear and what I have actually seen, they are a waist of time if you hope you will see the exact same questions on the CEH examine. I remember reading a number of posts on the old Boson forum that there were only 2 questions on the entire CEH examine that mirrored the questions in the Boson prep. There were so many complaints that Boson closed down the forum! That’s not good if you were hoping to just memorize a bunch of answers and ace the test, lol! My feeling is its better to focus on real world hacking skill than just trying to pass a test by reading questions and answers.

So say you pass the test and you still cant do a pentest? What value is that and how long will you last in the industry? Of course reading is good and my advice is to read “Counter Hack” by Ed Skoudis to get an over view. Then read “ Certified Ethical Hacker” by Michael Gregg to get a better idea of the CEH material. After that, work with something like Learn Security Online which has a lot of practical work. Make sure you set up some kind of hack lab and then get busy. The key is to get your fingers dirty so to speak. Don’t be an armchair hacker


« Last Edit: September 28, 2006, 11:58:50 AM by Kev »	Logged

LegioX

Newbie

Offline

Posts: 25

Re: Exam question

« Reply #10 on: September 28, 2006, 01:32:14 PM »

I appreciate your input.

I like to try and use materials from different sources and not rely on one vendor to get a good feel for the content - that's why I'm using all the different practice tests.

I have no intention of being an armchair hacker!
I have VMWare and a few different labs setup, so am trying to get the hands-on stuff as well.
I've used the CBT Nuggets video lectures and read Grey Hat Hacker by Shon Harris. I found this a great book, but didn't find it related very well to the CEH
Exam specifically... (I would recommend it as a good read though).

Some of the tools I've used for years (i.e.. NMap) and others I've only come across by doing this exam (i.e.. Hunt).

When I do an exam I like to learn about the topic, as much as I can, rather than just memorize answers... Hence the Preplogic/Boson involvement.

I know it's all a bit OTT but I get pretty nervous doing exams and like to walk in feeling prepared.

Right now I'm cautiously optimistic Grin


	Logged

MCSE & MCSA : Security (2003), A+, Network+, Security+, CEH, CCNA, JNCIA-FMW

skel

Jr. Member

Offline

Posts: 60

"Beam me up Scotty - Only hackers here"

Re: Exam question

« Reply #11 on: September 28, 2006, 10:31:57 PM »

Well LegioX

If you are targetting the exams try the testking. Did the exam about 2 weeks ago. About 95% of the questions matched word to word with testking. But dont rely on the answers. I havent tried the others though.

My advice/comments on the exam is on thread http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,665.0/

regards


	Logged

Skel

LSOChris

Guest

Re: Exam question

« Reply #12 on: September 29, 2006, 03:57:22 PM »

knowing your basics and actually knowing the material the objectives cover will take you farther than memorizing questions from a "study" site.


	Logged

skel

Jr. Member

Offline

Posts: 60

"Beam me up Scotty - Only hackers here"

Re: Exam question

« Reply #13 on: October 02, 2006, 12:49:21 AM »

agreed.

Once you start running the tools and realise the power behind them, you will never be able to get out if u are serious about security/hacking Grin


	Logged

Skel

piewacket

Newbie

Offline

Posts: 5

Re: Exam question

« Reply #14 on: October 02, 2006, 04:08:26 PM »

I have a 5 day course next week and have been studying for about 2 months - with ec council official courseware manual and exam prep

Can anyone recommend buying testking or others - seen several mentioned on this forum ?

rgds


	Logged

Pages: [1] Go Up

« previous next »