nerdexam
EC-Council

312-50V9 · Question #377

What tool and process are you going to use in order to remain undetected by an IDS while pivoting and passing traffic over a server you've compromised and gained root access to?

The correct answer is B. Install Cryptcat and encrypt outgoing packets from this server.. Cryptcat encrypts netcat traffic using Twofish encryption, allowing an attacker to tunnel data past an IDS that relies on inspecting plaintext payloads.

Evading IDS, Firewalls, and Honeypots

Question

What tool and process are you going to use in order to remain undetected by an IDS while pivoting and passing traffic over a server you've compromised and gained root access to?

Options

  • AInstall and use Telnet to encrypt all outgoing traffic from this server.
  • BInstall Cryptcat and encrypt outgoing packets from this server.
  • CUse HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion
  • DUse Alternate Data Streams to hide the outgoing packets from this server.

How the community answered

(35 responses)
  • A
    3% (1)
  • B
    80% (28)
  • C
    11% (4)
  • D
    6% (2)

Why each option

Cryptcat encrypts netcat traffic using Twofish encryption, allowing an attacker to tunnel data past an IDS that relies on inspecting plaintext payloads.

AInstall and use Telnet to encrypt all outgoing traffic from this server.

Telnet transmits all data in cleartext with no encryption, which would make the traffic more visible and inspectable by an IDS, not less.

BInstall Cryptcat and encrypt outgoing packets from this server.Correct

Cryptcat is an enhanced version of netcat that incorporates Twofish symmetric encryption for all transmitted data, making the payload opaque to signature-based IDS inspection. Because the traffic is encrypted end-to-end between the compromised server and the attacker, the IDS cannot match known malicious patterns or read the content of the pivoted session. This is a standard post-exploitation technique covered in CEH and offensive security curricula.

CUse HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion

Using HTTP does not encrypt traffic; IDS systems routinely inspect HTTP content and can detect malicious payloads or anomalous behavior within HTTP sessions.

DUse Alternate Data Streams to hide the outgoing packets from this server.

Alternate Data Streams is an NTFS file system feature on Windows used to hide data inside files - it has no mechanism to conceal or encrypt outgoing network packets, and this scenario involves a CentOS (Linux) server where NTFS does not exist.

Concept tested: Encrypted pivoting with Cryptcat to evade IDS

Source: https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/what-is-netcat/

Topics

#Cryptcat#traffic encryption#IDS evasion#pivoting

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice