EC-Council
312-50V11 · Question #976
312-50V11 Question #976: Real Exam Question with Answer & Explanation
The correct answer is B: Detecting the presence of Honeyd honeypots. Dayn uses time-based TCP fingerprinting to compare response timing between real systems and honeypots, a technique specifically effective against Honeyd honeypots.
Question
Dayn, an attacker, wanted to detect if any honeypots are installed in a target network. For this purpose, he used a time-based TCP fingerprinting method to validate the response to a normal computer and the response of a honeypot to a manual SYN request. Which of the following techniques is employed by Dayn to detect honeypots?
Options
- ADetecting honeypots running on VMware
- BDetecting the presence of Honeyd honeypots
- CA Detecting the presence of Snort_inline honeypots
- DDetecting the presence of Sebek-based honeypots
Explanation
Dayn uses time-based TCP fingerprinting to compare response timing between real systems and honeypots, a technique specifically effective against Honeyd honeypots.
Common mistakes.
- A. Detecting VMware-based honeypots relies on identifying VMware-specific artifacts such as registry keys, driver files, or MAC address prefixes - not TCP response timing.
- C. Snort_inline honeypot detection involves identifying inline IPS/IDS behavioral patterns or traffic manipulation artifacts, not time-based TCP fingerprinting.
- D. Sebek-based honeypot detection focuses on identifying kernel-level keystroke capture activity or Sebek communication artifacts, not TCP timing analysis.
Concept tested. Honeyd honeypot detection via TCP timing
Reference. https://csrc.nist.gov/glossary/term/honeypot
Community Discussion
No community discussion yet for this question.