.

Exam question

<<

LegioX

Newbie
Newbie

Posts: 25

Joined: Sun Sep 24, 2006 5:27 am

Post Tue Sep 26, 2006 2:53 pm

Exam question

Hi,

I have a question about one of the questions I've come across while studying for the CEH exam.
It goes as follows:

Employee wants to defeat detection by a N-IDS. He does not want to attack the system containing the IDS. Which of the following strategies can be employed to defeta detection?
A  Create a network tunnel
B  Create Multiple False Positives
C  Create a SYN flood
D  Create a ping flood

The answer listed is D, but I would have thought A was the best answer. This is because D would alert the IDS and not avoid detection.
Any thoughts?
MCSE & MCSA : Security (2003), A+, Network+, Security+, CEH, CCNA, JNCIA-FMW
<<

Kev

Post Tue Sep 26, 2006 3:38 pm

Re: Exam question

Both A and D could work in certain circumstances, but I am sure they mean D.  The theory of the ping flood is you can confuse the IDS by over loading it wth packet data, that way you dont stand out. Not very stealth in one sense. but it can work for a quick in and out attack.  On the other hand depending on what you define as a "network tunnel" you could  make a tunnel and make sure your data flow is encrypted, while you wont hide that you are  there, you might hide what you are doing.
Last edited by Kev on Tue Sep 26, 2006 3:44 pm, edited 1 time in total.
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Tue Sep 26, 2006 10:03 pm

Re: Exam question

Hi All,

I have some comments to make on the above post(s). Firstly lets take the definition for a ping flood
Ping Flood attacks attempt to saturate a network by sending a continuous series of ICMP echo requests (pings) over a high-bandwidth connection to a target host on a lower-bandwidth connection to cause it to send back an ICMP echo reply for each request. Ping Flood attacks can slow down a network or even disable network connectivity.


Also a ping flood is considered as a DoS attack. Now if you look at the question, it clearly says that the Employee does not want to attack the system containing the IDS. If the employee initiates a ping flood on the IDS, it is a clear case of an attack on the IDS. Hence, in my opinion, Option D is not the correct answer.

Please comment on this post or correct me if I am wrong.

Regards,

Morpheus
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

Kev

Post Tue Sep 26, 2006 10:41 pm

Re: Exam question

  I think the problem with the question is the wording. What do they mean by “attack” because some Admins would even consider an active sniffing and port probing the beginning of an attack.  If he doesnt want to attack it, then what are they talking about? Send happy little emails to it?  Perhaps its a typo and they meant he doesnt want his attack to be seen as an attack? Also,I think they should have written “Send a flood of fragments” instead of Ping flood, which limits it to ICMP packets.
 
  Flooding an IDS with fragments is a well known method of attempting to evade the IDS. The idea is to try and tie up all the memory capacity of the IDS by sending in so many fragments that the system becomes saturated. Once saturated the IDs might not detect your next move because it can’t gather the packets with its packet queue filled.

  Any way, I would not attempt to do it that way; I have better success with FragRoute. Its better to try and craft your packets in such a way that the IDS doesn’t understand them.

  All in all, this seems like another example of a poorly written test question for the CEH examine by some vender selling prep tests.
Last edited by Kev on Tue Sep 26, 2006 10:50 pm, edited 1 time in total.
<<

skel

User avatar

Jr. Member
Jr. Member

Posts: 60

Joined: Wed Aug 30, 2006 11:31 am

Post Tue Sep 26, 2006 11:43 pm

Re: Exam question

There are a lot of CEH questions which does not give proper information to select the answer. I do not think this is a poorly written question by prep vendor but actually this is how CEH present the question. There are more absured questions than this in CEH

He does not want to attack the system containing the IDS


It looks as the author is trying to say that the IDS should not be trigger any unusual activity. If u consider thhis meaning, a ping flood is out. Since  B, C and D  would trigger the IDS in someway, I would vote for 'A' as the answer.

When u dont have clear cut answer to a question the next best thing would be to eleminate the obvious wrong answers. If you work upwards from here, you will be left with the most possible answer. This is a general advise for any MCQ question.
Skel
<<

LegioX

Newbie
Newbie

Posts: 25

Joined: Sun Sep 24, 2006 5:27 am

Post Wed Sep 27, 2006 3:11 am

Re: Exam question

Thanks for the prompt reply everybody. And I am certainly glad that I wasn't the only one confused by this question!

I guess when I read the question I did make a few presumptions. Namely, that the 'ping flood' would be considered an attack, and secondly that the 'network tunnel' would be somehow encrypted and therefore avoid detection by the N-IDS.

That seems to be the general consensus. So most people here would go for 'D' then?
MCSE & MCSA : Security (2003), A+, Network+, Security+, CEH, CCNA, JNCIA-FMW
<<

Kev

Post Wed Sep 27, 2006 11:19 am

Re: Exam question

  Strictly speaking creating a network tunnel would not work to evade IDS. If by “network tunnel” they mean something like an encrypted VPN connection then the answer would be yes. 
 
  A ping flood doesn’t necessarily mean a DOS attack in the sense of trying to do a denial of service. The way this hack would be done is to run the flood from a high jacked computer and run a command from their command prompt like C:\ ping –t –l 65000 “IP address”, although you might want to use a smaller packet than 65000, but I have found that from a single computer this will not crash most servers. We are just trying to gently overload the IDS, not crash anything.
 
  Then once we feel the IDS queue has been flooded from another box we can begin whatever scans, etc we might like and not be seen by the saturated IDS.  So in my opinion either A or D is correct if you expand on the meaning and both are incorrect if you simply take them on their face meaning. I would rather try and answer questions like this based on my real world experience and not from an arm chair hacking debate on semantics. I am curious as to where you saw this question. Was it on prep test?
Last edited by Kev on Wed Sep 27, 2006 11:35 am, edited 1 time in total.
<<

LSOChris

Post Wed Sep 27, 2006 10:39 pm

Re: Exam question

its on the cheat exam...

why not B?  if you can slip your attack in with a bunch of false positives dont you have a chance of the attack being overlooked?

i dont believe creating false positives would be considered attacking the box...but as you can tell by the thread its open to debate ;-)
<<

LegioX

Newbie
Newbie

Posts: 25

Joined: Sun Sep 24, 2006 5:27 am

Post Thu Sep 28, 2006 3:23 am

Re: Exam question

He's right - it shows up on both the TestKing and a VCE that I'm using for revision (felt the need to point that out pre-emptively!).

In saying that though I've come across questions just as ambiguous in both the Preplogic and Boson practice tests...
MCSE & MCSA : Security (2003), A+, Network+, Security+, CEH, CCNA, JNCIA-FMW
<<

Kev

Post Thu Sep 28, 2006 11:24 am

Re: Exam question

  Wow, you are studying all of those exam preps?  I admire your effort. I will say I am not a big fan of preps like those.  I think they might have some value if you use it as a guide to test your general knowledge, but from what I hear and what I have actually seen, they are a waist of time if you hope you will see the exact same questions on the CEH examine.  I remember reading a number of posts on the old Boson forum that there were only 2 questions on the entire CEH examine that mirrored the questions in the Boson prep.  There were so many complaints that Boson closed down the forum! That’s not good if you were hoping to just memorize a bunch of answers and ace the test, lol! My feeling is its better to focus on real world hacking skill than just trying to pass a test by reading questions and answers. 

  So say you pass the test and you still cant do a pentest? What value is that and how long will you last in the industry? Of course reading is good and my advice is to read “Counter Hack” by Ed Skoudis to get an over view. Then read “ Certified Ethical Hacker” by Michael Gregg to get a better idea of the CEH material. After that, work with something like Learn Security Online which has a lot of practical work. Make sure you set up some kind of hack lab and then get busy.  The key is to get your fingers dirty so to speak. Don’t be an armchair hacker
Last edited by Kev on Thu Sep 28, 2006 11:58 am, edited 1 time in total.
<<

LegioX

Newbie
Newbie

Posts: 25

Joined: Sun Sep 24, 2006 5:27 am

Post Thu Sep 28, 2006 1:32 pm

Re: Exam question

I appreciate your input.

I like to try and use materials from different sources and not rely on one vendor to get a good feel for the content - that's why I'm using all the different practice tests.

I have no intention of being an armchair hacker!
I have VMWare and a few different labs setup, so am trying to get the hands-on stuff as well.
I've used the CBT Nuggets video lectures and read Grey Hat Hacker by Shon Harris. I found this a great book, but didn't find it related very well to the CEH 
Exam specifically... (I would recommend it as a good read though).

Some of the tools I've used for years (i.e.. NMap) and others I've only come across by doing this exam (i.e.. Hunt).

When I do an exam I like to learn about the topic, as much as I can, rather than just memorize answers... Hence the Preplogic/Boson involvement.

I know it's all a bit OTT but I get pretty nervous doing exams and like to walk in feeling prepared.

Right now I'm cautiously optimistic  ;D
MCSE & MCSA : Security (2003), A+, Network+, Security+, CEH, CCNA, JNCIA-FMW
<<

skel

User avatar

Jr. Member
Jr. Member

Posts: 60

Joined: Wed Aug 30, 2006 11:31 am

Post Thu Sep 28, 2006 10:31 pm

Re: Exam question

Well LegioX

If you are targetting the exams try the testking. Did the exam about 2 weeks ago. About 95% of the questions matched word to word with testking. But dont rely on the answers. I havent tried the others though.

My advice/comments on the exam is on thread http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,665.0/

regards
Skel
<<

LSOChris

Post Fri Sep 29, 2006 3:57 pm

Re: Exam question

knowing your basics and actually knowing the material the objectives cover will take you farther than memorizing questions from a "study" site.
<<

skel

User avatar

Jr. Member
Jr. Member

Posts: 60

Joined: Wed Aug 30, 2006 11:31 am

Post Mon Oct 02, 2006 12:49 am

Re: Exam question

agreed.

Once you start running the tools and realise the power behind them, you will never be able to get out if u are serious about security/hacking  ;D
Skel
<<

piewacket

Newbie
Newbie

Posts: 5

Joined: Mon Oct 02, 2006 3:51 pm

Post Mon Oct 02, 2006 4:08 pm

Re: Exam question

I have a 5 day course next week and have been studying for about 2 months - with ec council official courseware manual and exam prep

Can anyone recommend buying testking or others - seen several mentioned on this forum ?

rgds

Return to CEH - Certified Ethical Hacker

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software