nerdexam
EC-Council

312-50V11 · Question #614

(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been u

The correct answer is B. This is back orifice activity as the scan comes form port 31337.. Port 31337 is the well-known default port for Back Orifice, a remote access trojan released by the Cult of the Dead Cow hacker group. Observing traffic on this port in a packet capture is a strong indicator of Back Orifice activity on the network.

Scanning Networks

Question

(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal? What is odd about this attack? Choose the best answer.

Exhibit

312-50V11 question #614 exhibit

Options

  • AThis is not a spoofed packet as the IP stack has increasing numbers for the three flags.
  • BThis is back orifice activity as the scan comes form port 31337.
  • CThe attacker wants to avoid creating a sub-carries connection that is not normally valid.
  • DThese packets were crafted by a tool, they were not created by a standard IP stack.

How the community answered

(26 responses)
  • A
    4% (1)
  • B
    62% (16)
  • C
    23% (6)
  • D
    12% (3)

Why each option

Port 31337 is the well-known default port for Back Orifice, a remote access trojan released by the Cult of the Dead Cow hacker group. Observing traffic on this port in a packet capture is a strong indicator of Back Orifice activity on the network.

AThis is not a spoofed packet as the IP stack has increasing numbers for the three flags.

Analyzing increasing sequence numbers in IP stack flags does not identify the key anomaly here, which is the presence of the well-known malicious port 31337 rather than any spoofing indicator.

BThis is back orifice activity as the scan comes form port 31337.Correct

Port 31337, pronounced 'elite' in leet speak, is the default listening port for Back Orifice, a notorious remote access trojan targeting Windows systems. When a penetration tester sees traffic originating from or destined for this port in a packet dump, it is a recognized signature of Back Orifice command-and-control communication. Identifying well-known malicious port signatures is a core skill in passive network threat fingerprinting.

CThe attacker wants to avoid creating a sub-carries connection that is not normally valid.

The phrase 'sub-carries connection' is not a standard networking term and does not accurately describe any observable characteristic of the captured packets.

DThese packets were crafted by a tool, they were not created by a standard IP stack.

While crafted packets can appear abnormal, this answer is too generic and fails to identify the most definitive indicator - port 31337 - that specifically links this traffic to Back Orifice.

Concept tested: Back Orifice detection via port 31337 signature

Topics

#port 31337#Back Orifice#packet analysis#passive OS fingerprinting

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice