nerdexam
EC-Council

312-50V13 · Question #149

The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below: You are hired to conduct security testing on their network. You successfully

The correct answer is B. Run a network sniffer and capture the returned traffic with the configuration file from the router D. Send a customized SNMP set request with a spoofed source IP address in the range -. Given a successfully brute-forced SNMP community string but an access-list preventing direct connection from the attacker's IP, an attacker could either sniff network traffic for configuration data or send spoofed SNMP requests from a permitted IP range.

Submitted by ravi_2018· Mar 6, 2026Evading IDS, Firewalls, and Honeypots

Question

The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below: You are hired to conduct security testing on their network. You successfully brute-force the SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco configuration from the router. How would you proceed?

Options

  • AUse the Cisco's TFTP default password to connect and download the configuration file
  • BRun a network sniffer and capture the returned traffic with the configuration file from the router
  • CRun Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router
  • DSend a customized SNMP set request with a spoofed source IP address in the range -

How the community answered

(46 responses)
  • A
    26% (12)
  • B
    63% (29)
  • C
    11% (5)

Why each option

Given a successfully brute-forced SNMP community string but an access-list preventing direct connection from the attacker's IP, an attacker could either sniff network traffic for configuration data or send spoofed SNMP requests from a permitted IP range.

AUse the Cisco's TFTP default password to connect and download the configuration file

Cisco routers do not have a universally known 'TFTP default password' for configuration downloads, and even if TFTP were enabled, the existing access-list would likely block unauthorized access.

BRun a network sniffer and capture the returned traffic with the configuration file from the routerCorrect

If SNMP traffic, including configuration data, is transmitted unencrypted across a network segment accessible to the attacker, a network sniffer can capture these packets. This allows the attacker to retrieve the configuration without directly connecting to the router from their blocked IP.

CRun Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router

Running Generic Routing Encapsulation (GRE) tunneling requires the router to be specifically configured to accept such tunnels from the attacker's IP, which is unlikely given a security-focused access-list and would be a complex method not directly bypassing the SNMP ACL.

DSend a customized SNMP set request with a spoofed source IP address in the range -Correct

If the attacker can identify an IP address range that the access-list permits, they can craft SNMP 'get' requests with a spoofed source IP address from within that range. If the router processes the request and sends the response to the spoofed IP (which might be possible if the ACL only filters incoming source IPs), and the attacker can capture traffic destined for that spoofed IP, they can obtain the configuration.

Concept tested: SNMP exploitation, ACL bypass techniques (sniffing, IP spoofing)

Source: https://www.cloudflare.com/learning/ddos/ip-spoofing/

Topics

#SNMP#access lists#network reconnaissance#spoofing

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice