nerdexam
EC-Council

312-50V10 · Question #614

(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been u

The correct answer is B. This is back orifice activity as the scan comes form port 31337.. The captured packets are abnormal because traffic originates from port 31337, which is the well-known default port of the Back Orifice remote access trojan. This port number is a definitive signature that a penetration tester would recognize immediately.

Scanning Networks

Question

(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal? What is odd about this attack? Choose the best answer.

Exhibit

312-50V10 question #614 exhibit

Options

  • AThis is not a spoofed packet as the IP stack has increasing numbers for the three flags.
  • BThis is back orifice activity as the scan comes form port 31337.
  • CThe attacker wants to avoid creating a sub-carries connection that is not normally valid.
  • DThese packets were crafted by a tool, they were not created by a standard IP stack.

How the community answered

(71 responses)
  • A
    4% (3)
  • B
    69% (49)
  • C
    18% (13)
  • D
    8% (6)

Why each option

The captured packets are abnormal because traffic originates from port 31337, which is the well-known default port of the Back Orifice remote access trojan. This port number is a definitive signature that a penetration tester would recognize immediately.

AThis is not a spoofed packet as the IP stack has increasing numbers for the three flags.

Increasing sequence numbers in the IP stack are normal, expected TCP behavior and do not indicate anything legitimate or abnormal about the packet.

BThis is back orifice activity as the scan comes form port 31337.Correct

Port 31337 ('eleet') is the default listening port used by Back Orifice, a backdoor tool created by the Cult of the Dead Cow hacker group. When Snort captures traffic sourcing from this port, it is a direct indicator of Back Orifice activity, which is the specific anomaly that makes these packets abnormal.

CThe attacker wants to avoid creating a sub-carries connection that is not normally valid.

Sub-carries connections are not a recognized TCP/IP concept or attack category relevant to the observed packet signature.

DThese packets were crafted by a tool, they were not created by a standard IP stack.

While crafted packets are a valid concern in packet analysis, the specific and definitive indicator here is the source port 31337, not generic packet crafting.

Concept tested: Back Orifice backdoor port 31337 identification

Source: https://attack.mitre.org/software/S0031/

Topics

#Snort#packet analysis#Back Orifice#port 31337

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice