The Ethical Hacker Network - Questions - required feebacks/views

dareth

Newbie

Offline

Posts: 5

Questions - required feebacks/views

« on: October 16, 2006, 08:22:28 AM »

Hi,
i did actualtest paper and i found their answer rather suspicous.

Q1
Doug is conducting a port scan of a target network. He knows that his client target network
has a web server and that there is a mail server which is up and running. Dough has been sweeping the network but has not been able to elicit any response from the remote target.
Which of the following could be the most likely cause behind this lack of response? Select 4

a. UDP is filtered by a gateway
b. The packet TTL value is too low and cannot reach the target
c. The host might be down
d. The destination network might be down
e. The TCP windows size does not match
f. ICMP is filterd by a gateway

ans: A,B,C,D

i thought the answer is A,C,D,F

Q2
You have the SOA presented below in you Zone. Your secondary servers have not been able to contact your primary server to synchronise information. How long will the secondary servers attempt to conact the primary server before it considers that zone is dead and stops responding to queries?
college.edu (200302028 3600 3600 6+4800 3600)

a. 1 day
b. 1 hour
c. 1 week
d. 1 month

Answer: C

i thought the answer is 1 hour??
60sec x 60 = 3600seconds

Q3
Joe worried that network adminstrator miht detect the wiretap program by querying
the interfaces to see of they are running in promiscuous mode.

a. Block output to the console whenever the user runs ifconfig command by running screen
capture utility
b. Run the wiretap program in stealth mode from being detected by the ifconfig command
c. Repalce original ifconfig utility with the rootkit version of ifconfig hiding
Promiscuous information being displayed on the console
d. You cannor disable Promiscuous mode detection on Linux Systems.

Answer given is D, and I thought answer should be C.

I thought we can disable it by entering -> ifconfig eth0 -promisc

Q 4
A following attack on web server using obstructed URL:
http://www.example.com/scri[t.ext?template%2e%2e%2e%2e%2e%2f%65%74%63%2f%7

how to protect information systems from these attacks

A. Configure web server to deny alerts from these attacks
B. Create rules in IDS to alert on strange Unicode requests
C. Use SSL authentication on Web Servers
D. Enable Active scri[ts detection at the firewall and routers.

Answer given is B

The only reason i thought of its IDS deployed infront of the web server (DMZ segment)

what about A? can we configure the webserver to deny unicode request?

5.
Bubba has just accessed he preferred ecommerce web site and has spotted an item that he would like to buy. Bubba considers the price a bit too steep. He looks at the source code of the webpage and decides to
save the page locally, so that he can modify the page variables. In the context of web application security,
what do you think Bubba has changes?

A. A hidden form field value.
B. A hidden price value.
C. An integer variable.
D. A page cannot be changed locally, as it is served by a web server.

Answer given is A.

I was thinking whether the answer could be D.
Even the entire page is downloaded into our PC, we changed the value locally, but it doesnt reflect in the server such via POST method...


	Logged

skel

Jr. Member

Offline

Posts: 60

"Beam me up Scotty - Only hackers here"

Re: Questions - required feebacks/views

« Reply #1 on: October 16, 2006, 11:18:38 PM »

Hi Dareth

Quote from: dareth on October 16, 2006, 08:22:28 AM

Q1
Doug is conducting a port scan of a target network. He knows that his client target network
has a web server and that there is a mail server which is up and running. Dough has been sweeping the network but has not been able to elicit any response from the remote target.
Which of the following could be the most likely cause behind this lack of response? Select 4

a. UDP is filtered by a gateway
b. The packet TTL value is too low and cannot reach the target
c. The host might be down
d. The destination network might be down
e. The TCP windows size does not match
f. ICMP is filterd by a gateway

ans: A,B,C,D

i thought the answer is A,C,D,F

Although b. is a unlikely situation I would go for b. rather than f. Why ? There are manyways u can do a port scan, its not necessarily ICMP ping. (Ex see NMAP help for different ways of scaning a network or a box). So filtering ICMP probably is not a cause for negative results.

Quote

Q2
You have the SOA presented below in you Zone. Your secondary servers have not been able to contact your primary server to synchronise information. How long will the secondary servers attempt to conact the primary server before it considers that zone is dead and stops responding to queries?
college.edu (200302028 3600 3600 6+4800 3600)

a. 1 day
b. 1 hour
c. 1 week
d. 1 month

Answer: C

i thought the answer is 1 hour??
60sec x 60 = 3600seconds

To my knowladge 1 hr seems to correct. But again I am not a DNS expert. It seems that the definition of the TTL has changed at some time ( see hxxp://www.zytrax.com/books/dns/ch8/soa.html ). Sorry I dont have time to read and give a full explanation.

Quote

Q3
Joe worried that network adminstrator miht detect the wiretap program by querying
the interfaces to see of they are running in promiscuous mode.

a. Block output to the console whenever the user runs ifconfig command by running screen
capture utility
b. Run the wiretap program in stealth mode from being detected by the ifconfig command
c. Repalce original ifconfig utility with the rootkit version of ifconfig hiding
Promiscuous information being displayed on the console
d. You cannor disable Promiscuous mode detection on Linux Systems.

Answer given is D, and I thought answer should be C.

Actual test is definitely wrong here. The answer is C

Quote

Q 4
A following attack on web server using obstructed URL:
http://www.example.com/scri[t.ext?template%2e%2e%2e%2e%2e%2f%65%74%63%2f%7

how to protect information systems from these attacks

A. Configure web server to deny alerts from these attacks
B. Create rules in IDS to alert on strange Unicode requests
C. Use SSL authentication on Web Servers
D. Enable Active scri[ts detection at the firewall and routers.

Answer given is B

The only reason i thought of its IDS deployed infront of the web server (DMZ segment)

what about A? can we configure the webserver to deny unicode request?

Ar you sure u reproduced this question correctly ?
"Configure web server to deny alerts from these attacks" doest make much sense. If the option is "Configure web server to deny unicode request", then u have a point. This is one of the ambigous questions which I too found in CEH. Both A and B can be correct based on defferent scenarios.

Quote

5.
Bubba has just accessed he preferred ecommerce web site and has spotted an item that he would like to buy. Bubba considers the price a bit too steep. He looks at the source code of the webpage and decides to
save the page locally, so that he can modify the page variables. In the context of web application security,
what do you think Bubba has changes?

A. A hidden form field value.
B. A hidden price value.
C. An integer variable.
D. A page cannot be changed locally, as it is served by a web server.

Answer given is A.

I was thinking whether the answer could be D.
Even the entire page is downloaded into our PC, we changed the value locally, but it doesnt reflect in the server such via POST method...

Answer A is correct. U can save a page locally and change a form field value and resubmit. Most popular ecommerce sites have protection against this. But I can give you u live ecommerce site in the internet where u can do this. U can actully add a $30 item to ur shopping cart with a price tag of $10. But..... it is unethical to disclose the site and it will be even worse it somebody try purchase stuff that way. ..... And "YES" I did go upto the purchase point and "NO" I did not buy anything this way.

Regards


	Logged

Skel

dareth

Newbie

Offline

Posts: 5

Re: Questions - required feebacks/views

« Reply #2 on: October 17, 2006, 11:16:31 AM »

Quote

Q2

To my knowladge 1 hr seems to correct. But again I am not a DNS expert. It seems that the definition of the TTL has changed at some time ( see hxxp://www.zytrax.com/books/dns/ch8/soa.html ). Sorry I dont have time to read and give a full explanation.

I did a check and the answer is indeed 1 hour

Quote

Q 4
Ar you sure u reproduced this question correctly ?
"Configure web server to deny alerts from these attacks" doest make much sense. If the option is "Configure web server to deny unicode request", then u have a point. This is one of the ambigous questions which I too found in CEH. Both A and B can be correct based on defferent scenarios.

I will look for the question once more.


	Logged

dareth

Newbie

Offline

Posts: 5

Re: Questions - required feebacks/views

« Reply #3 on: October 18, 2006, 09:59:53 AM »

6.
You are conducting a port scan on a subnet that has ICMP blocked. You have discovered 23
live systems and after scanning each of them, you notice that they all show port 21
in closed state.

What should be the next logical step that should be performed?

A. Connect to open ports to discover applications.
B. Perform a ping sweep to identify any additional systems that might be up.
C. Perform a SYN scan on port 21 to identify any additional systems that might be up
D. Re-scan every pc to vertify results

Ans is C.

I dont understand this. Since we had performed a scan and discovered 23 'live' system.
Port 21 in 23 systems are closed. I believe there's a TCP port scan on a specific subnet to discover 23 'live' system.

Why do we need to perform another syn scan on port 21 to discover more 'live' systems!!
The only reason i derived is to perform another tcp scan on another subnet.

7.
Which of the following statements about a zone transfer correct? (Choose 3)

A. A zone transfer is accomplished with DNS
B. A zone transfer is accomplished with the nslookup service
C. A zone transfer passes all zone information that a DNS server maintains
D. A zone transfer passes all zone information that a nslookup server maintains
E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections
F. Zone transfer cannot occur on the Internet.

Ans: A , C , E

i thought the answer should be B,C,E
why B -> http://support.microsoft.com/kb/200525

any comments/replies are welcomed.


	Logged

skel

Jr. Member

Offline

Posts: 60

"Beam me up Scotty - Only hackers here"

Re: Questions - required feebacks/views

« Reply #4 on: October 18, 2006, 10:35:17 PM »

Quote

Which of the following statements about a zone transfer correct? (Choose 3)

A. A zone transfer is accomplished with DNS
B. A zone transfer is accomplished with the nslookup service
C. A zone transfer passes all zone information that a DNS server maintains
D. A zone transfer passes all zone information that a nslookup server maintains
E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections
F. Zone transfer cannot occur on the Internet.

Ans: A , C , E

* U need a DNS server to get the zone
* U use the tool nslookup to carry out the zone transfer.

So it all depends on how u interpret the word "accomplished". I would prefer B over A in this case. In the absence of B, the best answer would be A.

But ultimately the correct answer is what the EC council expects, and that only God knows Undecided

Any comments are welcome from other members.


	Logged

Skel

dareth

Newbie

Offline

Posts: 5

Re: Questions - required feebacks/views

« Reply #5 on: October 18, 2006, 11:58:35 PM »

Hi skel,
i had found the Q4 and re-wrote it.

Take a look at the following attack on a web server using obstructed URL:
http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%65%74%63%2f%7

The request is made up of:
1. %2e%2e%2e%2e%2e%2f = ../../../
2. %65%74%63 = etc
3. %2f = /
4. %70%61%73%73%77%64 = passwd

how would you protect information systems from these attacks

A. Configure web server to deny alerts from these attacks
B. Create rules in IDS to alert on strange Unicode requests
C. Use SSL authentication on Web Servers
D. Enable Active scri[ts detection at the firewall and routers.

Answer given is B, and i thought answer should be A.

I suppose 'these attacks' are referring to the unicode expoilts

IDS, unlike IPS (Intrusion Prevention Devices) only detect but couldnt prevent the expoilts. If its is a IPS deployed infront of the web server, it will
able to 'match' the expoilts based on the created rules.

8.
While examining audit logs, you discover that people able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doings.

However, you are concerned about affecting the normal functionality
of the email server. From the following options, choose how best you can achieve this objective?

A. Block port 25 at the firewall
B. Shut off the SMTP service on the server
C. Force all connections to use a username and password
D. Switch from Windows Echange to UNIX sendmail.
E. None of the above.

Answer is E.
I thought the answer is C.

Most of the ISP had enforced smtp authentication or 'pop before send'. Probably i think a step ahead, like security measures/controls...

The only reason I can think of about AT chose E; initally when we telnet in
port 25, we do not need to authenticate.

Guys, do you agree??


	Logged

skel

Jr. Member

Offline

Posts: 60

"Beam me up Scotty - Only hackers here"

Re: Questions - required feebacks/views

« Reply #6 on: October 19, 2006, 10:41:08 PM »

Quote

A. Configure web server to deny alerts from these attacks

I cannot see the logic of how denying alerts from web server can help unicode attacks Huh

Quote

8.
While examining audit logs, you discover that people able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doings.

However, you are concerned about affecting the normal functionality
of the email server. From the following options, choose how best you can achieve this objective?

A. Block port 25 at the firewall
B. Shut off the SMTP service on the server
C. Force all connections to use a username and password
D. Switch from Windows Echange to UNIX sendmail.
E. None of the above.

I dont know much about pop before smtp, but this method seems to work only in caseses designated users are allowed to relay mail though a specific mail server. But if I want to send a mail to dareth@xyz.com, u cannot enforce pop before smtp to me. U need to open the port smtp of xyz mail server.

If the port is open, u can telnet and grab the banner. But there are probably methods to restrict manual telnet. ( eg implienting a quick timeouts )

So IMO E is the answer


	Logged

Skel

Oyle

Sr. Member

Offline

Posts: 264

"Man. Nature. Technology".

Re: Questions - required feebacks/views

« Reply #7 on: October 20, 2006, 11:07:09 AM »

I realize you want to verify the questions and everything, but I really don't think you should be posting actual test questions here in this forum. You are violating the legal agtreement you signed when you do the exam; if someone from EC-council should see you doing this, they would very easily be within their rights to revoke your certification and even prosecute you in court. Microsoft has done it in the past. You are destroying the integrity and value of the exam.
Don should come along and delete this entre thread.

You could probably discuss this better via email or even PM, but not in a public forum like this.

Just a warning: you should imeddiately CEASE AND DESIST!! I'm not a lawyer, but even I know better than to do this.

This is a form of CHEATING, and is not ethical. There may be other people studying for the exam, and this is not the correct way to learn.

I guess this is why you guys are still newbies.


« Last Edit: October 20, 2006, 11:12:11 AM by Oyle »	Logged

MCP, MCP+I, MCSA, MCSE(NT4/W2K), CCNA, CCA, NWCCC, VH-PIRTS, CEH
--------------------
"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".

From 1337 h4x0r h4ndb00k: "the ten laws of geek", law x
-Tapeworm

don

Editor-In-Chief
Administrator
Hero Member

Offline

Posts: 4165

Editor-In-Chief

Re: Questions - required feebacks/views

« Reply #8 on: October 20, 2006, 12:21:46 PM »

3 thoughts on this:

1. Members are responsible and liable for their own posts not the owners of the site.
2. This was from ActualTests. He didn't claim it was from the real CEH exam. We could debate where they get their questions and answers, but I won't do that now. So as far as we know, this is simply a practice exam which is legal. He also didn't just ask for the answers. He gave what he thought the answer should be and why he thought it was wrong. So if anything, this once again proves that, although the legality of such products is debatable, they often have wrong answers, so the decision to use them is considered unwise.
3. Oyle has every right to question the validity of the post and warn against possible backlash from the cert org.

Please don't reply to these thoughts here. I am going to copy and paste them into a new thread for further discussion here:
http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,743.0/

Don


« Last Edit: October 20, 2006, 12:40:54 PM by don »	Logged

CISSP, MCSE, CSTA, Security+ SME

Oyle

Sr. Member

Offline

Posts: 264

"Man. Nature. Technology".

Re: Questions - required feebacks/views

« Reply #9 on: October 20, 2006, 03:58:23 PM »

OK, I take it that "Actual tests" is something similar to "Testkillers", where you purchase actual test questions and answers to prepare for the actual exam. I personally have never heard of "Actual Tests", but there are so many of these things out there, it's possible.

I would put no faith into these things at all; the best alternative is actual, hands-on experience. Good luck with that.

I would strongly suggest that they not post these things here; while they may be looking for "feebback/views" we all know they are in search of a correct answer.

Maybe in the future, if they really want to do these, post them and DON'T phrase them as a question; post them in the manner that TheMorpheus posts them in, as a hypothetical situation; Don't just list the question and then 4 multiple choice answers.

I'm not aware of Don's actual relationship, but I know that Don had talked previously with people at EC-Council. What's to stop someone from EC-Council from browsing the forums here and having him discover this thread? Then Don would be in trouble, as he is resposnible for this forum? Then we risk the possibilty of EH-Net being shut down, and NONE of us wants that. I sure don't.

Yoc can call me any name you want, I don't care. But I'm trying to save a valuable resource here, and besides: I enjoy it here, and I don't want to see it go away. Cry

I SURE as heck don't want to see DON get in trouble. if he does, I'm going to be mad. Angry

People don't like me when I'm mad. I turn all green, and get big, and bust out of my shirt, and, we'll, you wouldn't like me when I'm mad. I smash. Grin

PLEASE don't do this anymore!!


« Last Edit: October 20, 2006, 04:03:13 PM by Oyle »	Logged

Kev

Guest

Re: Questions - required feebacks/views

« Reply #10 on: October 20, 2006, 05:34:19 PM »

I don’t think we need to insult the posters here and call them newbs, etc.. It seemed to me they had genuine concerns and had no malicious intent. Also, I think Don asked that we post about this on a new thread. Perhaps it would be better in the future if someone had questions concerning mistakes in test preps or test cheats or whatever you want to call it, they just post a question and not copy and paste from materials like this. And don’t disclose where it came from.


	Logged

Negrita

Sr. Member

Offline

Posts: 299

Re: Questions - required feebacks/views

« Reply #11 on: October 20, 2006, 08:37:40 PM »

Okay, hopefully I can get this thread back on it's original track.

Question 7
nslookup is a tool not a service. Zone transfers are done by the DNS service. It is true that a zone transfer can be attempted by using nslookup with the ls -d flags but this is not the norm and is rarely successful. The correct answer in my opinion is as originally stated A, C, E.

Question 8
For this question you have to understand how SMTP works. Read RFC 821 and also RFC 2821. When any RFC compliant device tries to send mail, it first gets the MX and A record of the receiving mail server, and then tries to open an SMTP session on port 25. If a valid session is opened, the mail will be sent.

Quote

While examining audit logs, you discover that people able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doings.

This is normal behaviour as per the RFC's.

A. Block port 25 at the firewall This is wrong as it will not allow valid SMTP sessions and will "affect the normal functionality of the email server."
B. Shut off the SMTP service on the server As above.
C. Force all connections to use a username and password Authentication will only verify the legitimacy of the person/bot tryng to send mail, but they have to open an SMTP session on port 25 first before authentication.
D. Switch from Windows Echange to UNIX sendmail. This won't help as both use SMTP on port 25.
E. None of the above. This is correct. there is no way of blocking port 25 without "affecting the normal functionality of the email server."


« Last Edit: October 20, 2006, 08:39:44 PM by Negrita »	Logged

CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.

dareth

Newbie

Offline

Posts: 5

Re: Questions - required feebacks/views

« Reply #12 on: October 20, 2006, 08:53:24 PM »

Thanks for everybosy's feedbacks
Skel: thanks for the feedbacks.
Negrita: i will read the RFCs..

I wish to apologise if i had caused any dis-comforts to anyone here... I do not wish to re-produce the question but i afraid i would have produced the questions wrongly, which act according to my thoughts.

moderator: u can erase this thread anytime.

I took the test and pass with rather good results. Once again, i really appreciate those who help me to clarify some doubts along the way. A reminder to those who's taking, dont trust the answers too much, whether its TK,AT, etc..

cheers,
Dareth


« Last Edit: October 20, 2006, 11:42:26 PM by dareth »	Logged

Pages: [1] Go Up

« previous next »