312-50V11 · Question #614
(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been u
The correct answer is B. This is back orifice activity as the scan comes form port 31337.. Port 31337 is the well-known default port for Back Orifice, a remote access trojan released by the Cult of the Dead Cow hacker group. Observing traffic on this port in a packet capture is a strong indicator of Back Orifice activity on the network.
Question
(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal? What is odd about this attack? Choose the best answer.
Exhibit
Options
- AThis is not a spoofed packet as the IP stack has increasing numbers for the three flags.
- BThis is back orifice activity as the scan comes form port 31337.
- CThe attacker wants to avoid creating a sub-carries connection that is not normally valid.
- DThese packets were crafted by a tool, they were not created by a standard IP stack.
How the community answered
(26 responses)- A4% (1)
- B62% (16)
- C23% (6)
- D12% (3)
Why each option
Port 31337 is the well-known default port for Back Orifice, a remote access trojan released by the Cult of the Dead Cow hacker group. Observing traffic on this port in a packet capture is a strong indicator of Back Orifice activity on the network.
Analyzing increasing sequence numbers in IP stack flags does not identify the key anomaly here, which is the presence of the well-known malicious port 31337 rather than any spoofing indicator.
Port 31337, pronounced 'elite' in leet speak, is the default listening port for Back Orifice, a notorious remote access trojan targeting Windows systems. When a penetration tester sees traffic originating from or destined for this port in a packet dump, it is a recognized signature of Back Orifice command-and-control communication. Identifying well-known malicious port signatures is a core skill in passive network threat fingerprinting.
The phrase 'sub-carries connection' is not a standard networking term and does not accurately describe any observable characteristic of the captured packets.
While crafted packets can appear abnormal, this answer is too generic and fails to identify the most definitive indicator - port 31337 - that specifically links this traffic to Back Orifice.
Concept tested: Back Orifice detection via port 31337 signature
Topics
Community Discussion
No community discussion yet for this question.
