nerdexam
EC-Council

312-50V9 · Question #507

(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been u

The correct answer is B. This is back orifice activity as the scan comes form port 31337.. Port 31337 is the well-known default port for Back Orifice, a remote access trojan, making traffic from this port a direct indicator of Back Orifice activity in a packet capture.

Scanning Networks

Question

(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal? What is odd about this attack? Choose the best answer.

Exhibit

312-50V9 question #507 exhibit

Options

  • AThis is not a spoofed packet as the IP stack has increasing numbers for the three flags.
  • BThis is back orifice activity as the scan comes form port 31337.
  • CThe attacker wants to avoid creating a sub-carries connection that is not normally valid.
  • DThese packets were crafted by a tool, they were not created by a standard IP stack.

How the community answered

(40 responses)
  • A
    5% (2)
  • B
    70% (28)
  • C
    18% (7)
  • D
    8% (3)

Why each option

Port 31337 is the well-known default port for Back Orifice, a remote access trojan, making traffic from this port a direct indicator of Back Orifice activity in a packet capture.

AThis is not a spoofed packet as the IP stack has increasing numbers for the three flags.

The question frames the packet as abnormal and does not present sequential flag numbers as evidence; this choice contradicts the premise of the question.

BThis is back orifice activity as the scan comes form port 31337.Correct

Port 31337, pronounced 'leet' (elite) in hacker culture, is the default UDP port used by Back Orifice, a remote administration trojan first released by the hacker group Cult of the Dead Cow. Observing packets originating from or destined for port 31337 in a Snort capture is a well-recognized signature for Back Orifice activity and is the specific abnormality a penetration tester would flag.

CThe attacker wants to avoid creating a sub-carries connection that is not normally valid.

Sub-carries connection is not a recognized or standard TCP/IP networking concept, making this answer technically invalid.

DThese packets were crafted by a tool, they were not created by a standard IP stack.

While crafted packets are a general anomaly indicator, the most specific and operationally significant finding in this scenario is the use of port 31337, which maps directly to a known trojan.

Concept tested: Back Orifice trojan identification via port 31337

Source: https://www.cisa.gov/news-events/alerts/2001/03/07/back-orifice-2000

Topics

#Back Orifice#port 31337#packet signature analysis#malware port

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice