312-50V9 · Question #507
(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been u
The correct answer is B. This is back orifice activity as the scan comes form port 31337.. Port 31337 is the well-known default port for Back Orifice, a remote access trojan, making traffic from this port a direct indicator of Back Orifice activity in a packet capture.
Question
(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal? What is odd about this attack? Choose the best answer.
Exhibit
Options
- AThis is not a spoofed packet as the IP stack has increasing numbers for the three flags.
- BThis is back orifice activity as the scan comes form port 31337.
- CThe attacker wants to avoid creating a sub-carries connection that is not normally valid.
- DThese packets were crafted by a tool, they were not created by a standard IP stack.
How the community answered
(40 responses)- A5% (2)
- B70% (28)
- C18% (7)
- D8% (3)
Why each option
Port 31337 is the well-known default port for Back Orifice, a remote access trojan, making traffic from this port a direct indicator of Back Orifice activity in a packet capture.
The question frames the packet as abnormal and does not present sequential flag numbers as evidence; this choice contradicts the premise of the question.
Port 31337, pronounced 'leet' (elite) in hacker culture, is the default UDP port used by Back Orifice, a remote administration trojan first released by the hacker group Cult of the Dead Cow. Observing packets originating from or destined for port 31337 in a Snort capture is a well-recognized signature for Back Orifice activity and is the specific abnormality a penetration tester would flag.
Sub-carries connection is not a recognized or standard TCP/IP networking concept, making this answer technically invalid.
While crafted packets are a general anomaly indicator, the most specific and operationally significant finding in this scenario is the use of port 31337, which maps directly to a known trojan.
Concept tested: Back Orifice trojan identification via port 31337
Source: https://www.cisa.gov/news-events/alerts/2001/03/07/back-orifice-2000
Topics
Community Discussion
No community discussion yet for this question.
