Grading Summary

These are the automatically

computed results of your exam.
Grades for essay questions, and
comments from your instructor, are
in the "Details" section below.
Date Taken: 7/30/2014
Time Spent: 56 min , 26 secs
Points Received: 2 / 10 (20%)
Question Type: # Of Questions: # Correct:
Multiple Choice 10 2

Grade Details - All Questions
Question 1. Question :

How would you best describe the attack from the trace below?
Mar 31 02:52:42 rt1 1440: 10:34:19: %SEC-6-IPACCESSLOGDP: list 102
denied icmp
-> 209.67.78.202 -> external.primary.dns (8/0), 2 packets
Mar 31 08:09:37 rt1 2264: 15:51:13: %SEC-6-IPACCESSLOGDP: list 102
denied icmp
-> 209.67.78.202 -> external.primary.dns (8/0), 1 packet
Mar 31 08:09:57 rt1 2265: 15:51 :33: %SEC-6-IPACCESSLOGP: list 102 denied
tcp
-> 209.67.78.202(2100) -> external.primary.dns(53) , 1 packet
Mar 31 08:54:23 rt1 2397: 16:35:59: %SEC-6-IPACCESSLOGP: list 102 denied
udp
-> 209.67.78.202(3408) -> external.primary.dns(33434) , 1 packet
Mar 31 13:55:07 rt1 3319: 21:36:44: %SEC-6-IPACCESSLOGP: list 102 denied
udp
->209.67.78.202(3408) -> external.primary.dns(33434), 1 packet
Student Answer:

Port scan (Incorrect.)


Teardrop attack (Incorrect.)


Scan for zone transfer (Correct.)


Land attack (Incorrect.)
Points Received: 0 of 1
Comments:
-1389166997 MultipleChoice 10 False

0 -1389166997 MultipleChoice 10

Question 2. Question :
____ How can you tell that this is an attack, rather than a bad installation or
corrupted file?
May 25 22:56:40 solaris rpc.cmsd: [ID 767094 daemon.error] svc_reg(tcp) failed
May 25 22:58:42 solaris rpc.cmsd: [ID 767094 daemon. error]svc_reg(tcp) failed
Student Answer:

There is no easy way to tell; only looking at syslogs and file modification
dates can help.
(Incorrect.)


You can tell only by looking at the TCPdump files for the suspected day and
time. (Incorrect.)


If you look under the pot of gold at the end of the rainbow, it will tell you.
(Incorrect.)


combination of IDS logs and syslogs have to be audited before this can be
determined.
(Correct.)
Points Received: 0 of 1
Comments:
-1389166996 MultipleChoice 11 False

0 -1389166996 MultipleChoice 11

Question 3. Question :
Which is true for the following scan?
19-May-00 17:31:59 drop inbound udp scan.wins.bad.guy MY.NET.29.8
netbios-ns
->netbios - ns 78
19-May-00 17:32:09 drop inbound udp scan.wins.bad.guy MY.NET.29.9
netbios-ns
->netbios - ns 78
19-May-00 17:32:20 drop inbound udp scan.wins.bad.guy MY.NET.29.10
netbios-ns
->netbios - ns 78
Student Answer:

The network is congested. (Incorrect.)


The scan was stealth. (Incorrect.)


The scan was directed to port 137. (Correct.)


Typical NetBIOS traffic. (Incorrect.)
Points Received: 0 of 1
Comments:
-1389166995 MultipleChoice 3 False

0 -1389166995 MultipleChoice 3

Question 4. Question :

The attacker is probing a port of?
16:51:35.148328 winseek.some.where.1172 > www.mynet 2.dom.139: S 4277359487:-
>4277359487(0)win16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 109, id 36908)
Student Answer:

Net Ware (Incorrect.)


Windows (Correct.)


UNIX (Incorrect.)


MacOS (Incorrect.)
Points Received: 1 of 1
Comments:
-1389166994 MultipleChoice 7 True

0 -1389166994 MultipleChoice 7

Question 5. Question :

[**] WEB-etc/passwd [**]
07/10-11:26:35.063544 195.96.98.222:12440 -> my.net.1 .50:80 TCP TTL:46
TOS:0x0 ID:34513 DF
*****PA* Seq: 0xC8F464C7 Ack: 0xC1F29A8F Win: 0x2238
47 45 54 20 2F 63 67 69 20 62 69 6E 2F 68 74 73 GET /cgi-bin/hts
65 61 72 63 68 3F 65 78 63 6C 75 64 65 30 60 2F earch?exclude=/
65 74 63 2F 70 61 73 73 77 64 60 20 48 54 54 50 etc/passwd HTTP
2F 31 2E 30 00 0A 56 69 61 3A 20 31 2E 31 2077 /1,0 .. Via: 1.1 w 77 77 2E 63
61 63 68 65 2E 63 61 73 65 60 61 2E ww,cache.casema.
6E 65 74 20 28 4E 65 74 43 61 63 68 65 20 34 2E net (NetCache 4.
31 52 31 44 35 29 00 0A 43 6F 6E 6E 65 63 74 69 1R105) .. Connecti 6F 6E 3A
20 4B 65 65 70 20 41 6C 69 76 65 00 0A on: Keep-Alive..
00 0A
Student Answer:

The attacker is searching for a caching proxy. (Incorrect.)


The source port is suspicious. (Incorrect.)


The source is most likely spoofed (Correct.)


The attacker is attempting to buffer overflow a Web server. (Incorrect.)

Points Received: 0 of 1
Comments:
-1389166993 MultipleChoice 6 False

0 -1389166993 MultipleChoice 6

Question 6. Question :
From this list, the greatest risk of a peer-to-peer file sharing product such as
Gnutella is what?
Student Answer:

There is a lack of authentication. (Incorrect.)


The remote peer identity is unknown. (Incorrect.)


Users download and install software from untrusted sources. (Correct.)


Gnutella requests can constitute a DoS against your network. (Incorrect.)

Points Received: 0 of 1
Comments:
-1389166992 MultipleChoice 1 False

0 -1389166992 MultipleChoice 1

Question 7. Question :

How do you ensure that any changes you have made to community name strings
and passwords have been accepted by the SNMP service?
Student Answer:

Reboot the device. (Incorrect.)


Send a killall -9 * from the command console. (Incorrect.)


Run an SNMP attack, such as SNMPwalk or SNMPinfo against your
network. (Incorrect.)


From a different machine, test SNMP connectivity with the old and new
community name and password. (Correct.)
Points Received: 0 of 1
Comments:
-1389166991 MultipleChoice 9 False

0 -1389166991 MultipleChoice 9

Question 8. Question :

In the following trace, what is the target OS?
04:55:36.113774 208.213.x.x.1046 > x.x.20.1 .137: udp 50 (ttl 112, id 50127)
4500 004e c3cf 0000 7011 588c d0d5 ad0a
aaaa 1401 0416 0089 003a 0dae 80b0 0000
0001 0000 0000 0000 2043 4b41 4141 4141
4141 4141 4141 4141 4141 4141 4141 4141
4141 4141 4141 4141 4100 0021 0001
Student Answer:

AIX (Incorrect.)


Solaris (Incorrect.)


Windows (Correct.)


Linux (Incorrect.)

Points Received: 0 of 1
Comments:
-1389166990 MultipleChoice 13 False

0 -1389166990 MultipleChoice 13

Question 9. Question :

Given this TCPdllmp output, which of the following is NOT likely?
22:32:27.256028 SCANNER.OTHER.NET.783 >
NFS_SERVER.MY.NET.sunrpc: udp 56
->(ttl 64, id 41021)
22:32:27.257397 NFS_SERVER.MY.NET.sunrpc >
SCANNER.OTHER.NET.783: udp 28
-> (ttl 64, id 49957)
22:32:27.262975 SCANNER.OTHER.NET.862 >
NFS_SERVER.MY.NET.1011: udp 1112
->(ttl 64, id 64250)
22:32:27.274461 NFS_SERVER.MY.NET.1011 >
SCANNER.OTHER.NET.862: udp 32
-> (ttl 64, id 49958
Student Answer:

SCANNER. OTHER. NET attempted a remote buffer overflow attack
against
NFS_SERVER.
(Correct.)


A UDP datagram of size 1112 is normal.
(Incorrect.)


SCANNER. OTHER. NET is querying NFS_SERVER. MY. NET for
RPCinfo. (Incorrect.)


SCANNER. OTHER. NET and NFS_SERVER. MY. NET are physically
close to each other. (Incorrect.)
Points Received: 1 of 1
Comments:
-1389166989 MultipleChoice 12 True

0 -1389166989 MultipleChoice 12

Question 10. Question :

Which of the following is the most likely reason for choosing to use HEAD
requests rather than GET requests when scanning for the presence of vulnerable
Web-based applications?
Student Answer:

To proxy requests through another Web server.
(Incorrect.)


To exploit vulnerabilities while scanning.
(Correct.)


To speed up the scan.
(Correct.)


To avoid detection.
(Incorrect.)
Points Received: 0 of 1
Comments:
-1389166988 MultipleChoice 8 False

0 -1389166988 MultipleChoice 8

* Times are displayed in (GMT-07:00) Mountain Time (US & Canada)