312-50V10 · Question #614
(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been u
The correct answer is B. This is back orifice activity as the scan comes form port 31337.. The captured packets are abnormal because traffic originates from port 31337, which is the well-known default port of the Back Orifice remote access trojan. This port number is a definitive signature that a penetration tester would recognize immediately.
Question
(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal? What is odd about this attack? Choose the best answer.
Exhibit
Options
- AThis is not a spoofed packet as the IP stack has increasing numbers for the three flags.
- BThis is back orifice activity as the scan comes form port 31337.
- CThe attacker wants to avoid creating a sub-carries connection that is not normally valid.
- DThese packets were crafted by a tool, they were not created by a standard IP stack.
How the community answered
(71 responses)- A4% (3)
- B69% (49)
- C18% (13)
- D8% (6)
Why each option
The captured packets are abnormal because traffic originates from port 31337, which is the well-known default port of the Back Orifice remote access trojan. This port number is a definitive signature that a penetration tester would recognize immediately.
Increasing sequence numbers in the IP stack are normal, expected TCP behavior and do not indicate anything legitimate or abnormal about the packet.
Port 31337 ('eleet') is the default listening port used by Back Orifice, a backdoor tool created by the Cult of the Dead Cow hacker group. When Snort captures traffic sourcing from this port, it is a direct indicator of Back Orifice activity, which is the specific anomaly that makes these packets abnormal.
Sub-carries connections are not a recognized TCP/IP concept or attack category relevant to the observed packet signature.
While crafted packets are a valid concern in packet analysis, the specific and definitive indicator here is the source port 31337, not generic packet crafting.
Concept tested: Back Orifice backdoor port 31337 identification
Source: https://attack.mitre.org/software/S0031/
Topics
Community Discussion
No community discussion yet for this question.
