Evading IDS, Firewalls, and Honeypots

Question 1

What is Signature Recognition?

Answer 1

Signature recognition, also known as misuse detection, tries to identify events that indicate an abuse of a system or network resource

Question 2

What is Protocol Anomaly Detection?

Answer 2

In this type of detection, models are built to explore anomalies in the way in which vendors deploy the TCP/IP specification

Question 3

What is Anomaly Detection?

Answer 3

Anomaly detection detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system

Question 4

What is a Bastion Host?

Answer 4

The bastion host is designed for defending the network against attacks. It acts as a mediator between inside and outside networks. A bastion host is a computer system designed and configured to protect network resources from attacks. Traffic entering or leaving the network passes through the firewall

Question 5

What is a malware honeypot?

Answer 5

Malware honeypots are used to trap malware campaigns or malware attempts over the network infrastructure. These honeypots are simulated with known vulnerabilities such as outdated APIs, vulnerable SMBv1 protocols, etc., and they also emulate different Trojans, viruses, and backdoors that encourage adversaries to perform exploitation activities

Question 6

What is a honeynet?

Answer 6

Honeynets are networks of honeypots. They are very effective in determining the entire capabilities of the adversaries. Honeynets are mostly deployed in an isolated virtual environment along with a combination of vulnerable servers. The various TTPs employed by different attackers to enumerate and exploit networks will be recorded, and this information can be very effective in determining the complete capabilities of the adversary

Question 7

What is a spider honeypot?

Answer 7

Spider honeypots are also called spider traps. These honeypots are specifically designed to trap web crawlers and spiders. Many threat actors perform web crawling and spidering to extract important information from web applications. Such crucial information includes URLs, contact details, directory details, etc

Question 8

What is a spam honeypot?

Answer 8

Spam honeypots specifically target spammers who abuse vulnerable resources such as open mail relays and open proxies. Basically, spam honeypots consist of mail servers that deliberately accept emails from any random source from the Internet

Question 9

What is a packet-filter (stateless) firewall?

Answer 9

A packet filtering firewall investigates each individual packet passing through it and makes a decision whether to pass the packet or drop it. It works at the Internet protocol (IP) layer of the TCP/IP model (network layer of the OSI model). Packet filter–based firewalls concentrate on individual packets, analyze their header information, and determine which way they need to be directed

Question 10

What is a packet-filter (stateless) firewall?

Answer 10

A packet filtering firewall investigates each individual packet passing through it and makes a decision whether to pass the packet or drop it. It works at the Internet protocol (IP) layer of the TCP/IP model (network layer of OSI). Packet filter–based firewalls concentrate on individual packets, analyze their header information, and determine which way they need to be directed

Question 11

Which of the following descriptions is true about a static NAT?

A static NAT uses a one-to-one mapping.
A static NAT uses a many-to-one mapping.
A static NAT uses a one-to-many mapping.
A static NAT uses a many-to-many mapping.

Answer 11

A static NAT uses a one-to-one mapping

Question 12

Which of the following descriptions is true about a static NAT?

A static NAT uses a one-to-one mapping.
A static NAT uses a many-to-one mapping.
A static NAT uses a one-to-many mapping.
A static NAT uses a many-to-many mapping.

Answer 12

A static NAT uses a one-to-one mapping

Question 13

At which two traffic layers do most commercial IDSes generate signatures? (Select Two)

Session layer
Application layer
Network layer
Transport layer

Answer 13

Network and Transport layers (easiest layers to filter)

Question 14

Which of the following attributes in a packet can be used to check whether the packet originated from an unreliable zone?

TCP flag bits
Interface
Direction
Source IP address

Answer 14

Interface

Question 15

A circuit-level gateway works at which of the following layers of the OSI model?

Layer 5 – Session
Layer 4 – Transport
Layer 2 – Data Link
Layer 3 – Network

Answer 15

Layer 5 - Session

Question 16

What is discretionary access control?

Answer 16

In discretionary access control (DAC), the owner of the object specifies which subjects can access the object. This model is called discretionary because the control of access is based on the discretion of the owner.

Most operating systems such as all Windows, Linux, and Macintosh and most flavors of Unix are based on DAC models.

In these operating systems, when you create a file, you decide what access privileges you want to give to other users; when they access your file, the operating system will make the access control decision based on the access privileges you created

Question 17

What is mandatory access control?

Answer 17

In mandatory access control (MAC), the system (and not the users) specifies which subjects can access specific data objects.

The MAC model is based on security labels. Subjects are given a security clearance (secret, top secret, confidential, etc.), and data objects are given a security classification (secret, top secret, confidential, etc.). The clearance and classification data are stored in the security labels, which are bound to the specific subjects and objects.

When the system is making an access control decision, it tries to match the clearance of the subject with the classification of the object. For example, if a user has a security clearance of secret, and he requests a data object with a security classification of top secret, then the user will be denied access because his clearance is lower than the classification of the object.

The MAC model is usually used in environments where confidentiality is of utmost importance, such as a military institution.

Examples of the MAC-based commercial systems are SE Linux and Trusted Solaris

Question 18

What is Snort (software)?

Answer 18

Snort is an open-source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching, and it is used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts

Question 19

What is Suricata (software)?

Answer 19

Suricata is a robust network threat detection engine capable of real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM), and offline pcap processing

Question 20

What is KFSensor (software)?

Answer 20

KFSensor is a host-based IDS that acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and Trojans. By acting as a decoy server, it can divert attacks from critical systems and provide a higher level of information than that achieved using firewalls and NIDS alone

Question 21

What is zIPS (software)?

Answer 21

Zimperium’s zIPS™ is a mobile intrusion prevention system app that provides comprehensive protection for iOS and Android devices against mobile network, device, and application cyber-attacks

Question 22

When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following:

Stops checking rules, sends an alert, and lets the packet continue
Continues to evaluate the packet until all rules are checked
Drops the packet and moves on to the next one
Blocks the connection with the source IP address in the packet

Answer 22

Continues to evaluate the packet until all rules are checked

Question 23

Which of the following is not an action present in Snort IDS?

Alert
Pass
Log
Audit

Answer 23

Audit

Question 24

What is NetPatch Firewall (software)?

Answer 24

NetPatch firewall is a full-featured advanced android noroot firewall. It can be used to fully control over mobile device network. With NetPatch firewall, you can create network rules based on APP, IP address, domain name, and so on. This firewall is designed to save mobile device’s network traffic and battery consumption, and improve network security and protect privacy.

Question 25

What is Specter (software)?

Answer 25

SPECTER is a honeypot. It automatically investigates attackers while they are still trying to break in. It provides massive amounts of decoy content, and it generates decoy programs that cannot leave hidden marks on the attacker’s computer. Automated weekly online updates of the honeypot’s content and vulnerability databases allow the honeypot to change regularly without user interaction

Question 26

In Evading IDS, what are Invalid RST Packets used for?

Answer 26

TCP uses 16-bit checksums for error checking of the header and data and to ensure that communication is reliable. It adds a checksum to every transmitted segment that is checked at the receiving end. When a checksum differs from the checksum expected by the receiving host, the TCP drops the packet at the receiver’s end. The TCP also uses an RST packet to end two-way communications. Attackers can use this feature to elude detection by sending RST packets with an invalid checksum.

Question 27

In Evading IDS, what is a fragmentation attack?

Answer 27

Fragmentation can be used as an attack vector when fragmentation timeouts vary between the IDS and the host. Through the process of fragmenting and reassembling, attackers can send malicious packets over the network to exploit and attack systems

Question 28

In Evading IDS, what is obfuscation?

Answer 28

It is an IDS evasion technique used by attackers to encode the attack packet payload in such a way that the destination host can only decode the packet but not the IDS. An attacker manipulates the path referenced in the signature to fool the IDS. Using Unicode characters, an attacker can encode attack packets that the IDS would not recognize but which an IIS web server can decode

Question 29

In Evading IDS, what is an insertion attack?

Answer 29

Insertion is the process by which the attacker confuses the IDS by forcing it to read invalid packets (i.e., the system may not accept the packet addressed to it). An IDS blindly trusts and accepts a packet that an end system rejects. If a packet is malformed or if it does not reach its actual destination, the packet is invalid. If the IDS reads an invalid packet, it gets confused. An attacker exploits this condition and inserts data into the IDS

Question 30

In Evading IDS, what is Overlapping Fragments?

Answer 30

Attackers use overlapping fragments to evade IDS. In this technique, attackers generate a series of tiny fragments with overlapping TCP sequence numbers

Question 31

In Evading IDS, what is Polymorphic Shellcode?

Answer 31

Polymorphic shellcode attacks include multiple signatures, making it difficult to detect the signature. Attackers encode the payload using some technique and then place a decoder before the payload. As a result, the shellcode is completely rewritten each time it is sent, thereby evading detection. With polymorphic shellcodes, attackers hide their shellcode (attack code) by encrypting it with an unknown encryption algorithm and including the decryption code as part of the attack packet. To carry out polymorphic shellcode attacks, they use an existing buffer-overflow exploit and set the “return” memory address on the overflowed stack to the entrance point of the decryption code

Question 32

In Evading IDS, what is Evasion?

Answer 32

An “evasion” attack occurs when the IDS discards packets while the host that intended to receive the packets accepts them. Using this technique, an attacker exploits the host computer. Evasion attacks have an adverse effect on the accuracy of the IDS

Question 33

In Evading IDS, what is session splicing?

Answer 33

Session splicing is an IDS evasion technique that exploits how some IDS do not reconstruct sessions before pattern-matching the data. It is a network-level evasion method used to bypass IDS where an attacker splits the attack traffic into an excessive number of packets such that no single packet triggers the IDS. The attacker divides the data in the packets into small portions of a few bytes and evades the string match while delivering the data. The IDS cannot handle an excessive number of small-sized packets and fails to detect the attack signatures. If attackers know what IDS is in use, they could add delays between packets to bypass reassembly checking

Question 34

Eric, a professional hacker, is trying to perform a SQL injection attack on the back-end database system of the InfomationSEC, Inc. During the information gathering process, he identifies that MySQL server is the back-end database engine used. Eric has tried various SQL injection attack attempts based on the information gathered but all of his attempts failed. Later, he discovered that IPS system is blocking all the SQL injection attack attempts. Eric decided to bypass the IPS using string concatenation IPS evasion technique where he needs to break the SQL query into a number of small pieces and concatenates the SQL query end-to-end.

Which of the following string concatenation operator Eric need to use in the SQL query to concatenate the SQL query end-to-end?

A. “+” operator
B. “||” operator
C. “concat(,)” operator
D. “&” operator

Answer 34

concat(,) operator

Question 35

Check Point’s FireWall-1 listens on which TCP port?

Answer 35

259

Question 36

What is Loki?

Answer 36

Loki uses ICMP tunneling to execute commands of choice by tunneling them inside the payload of ICMP echo packets.

Question 37

Which feature of the Secure Pipes tool open application communication ports to remote servers without opening those ports to public networks?

Remote forwards
SOCKS proxies
Local forwards
Remote backwards

Answer 37

Local forwards open application communication ports to remote servers without opening those ports to public networks. It brings the security of VPN communication to clients and servers on an ad hoc basis without the configuration and management hassle.

Question 38

What is Secure Pipes?

Answer 38

Secure Pipes is an SSH tunnel and SOCKS proxy manager for macOS

Question 39

What is Bitvise?

Answer 39

Bitvise is SSH tunnel, SFTP, SCP, and SSH client and server software for Microsoft Windows

Question 40

What is super network tunnel?

Answer 40

Super Network Tunnel is professional http tunneling software, which includes both http tunnel client and server software