nerdexam
ExamsCAS-001Questions#77
CompTIA

CAS-001 · Question #77

CAS-001 Question #77: Real Exam Question with Answer & Explanation

The correct answer is A: An NTP client side attack successfully exploited some hosts.. UDP port 123 is used by NTP (Network Time Protocol). The packet capture shows two groups: some hosts querying the legitimate internal time server (time.company.com) and others - specifically those with svchost.exe hash mismatches - sending NTP requests to an external IP (172.60.3

Question

The security administrator at `company.com' is reviewing the network logs and notices a new UDP port pattern where the amount of UDP port 123 packets has increased by 20% above the baseline. The administrator runs a packet capturing tool from a server attached to a SPAN port and notices the following. UDP 192.168.0.1:123 -> 172.60.3.0:123 UDP 192.168.0.36:123 -> time.company.com UDP 192.168.0.112:123 -> 172.60.3.0:123 UDP 192.168.0.91:123 -> time.company.com UDP 192.168.0.211:123 -> 172.60.3.0:123 UDP 192.168.0.237:123 -> time.company.com UDP 192.168.0.78:123 -> 172.60.3.0:123 The corporate HIPS console reports an MD5 hash mismatch on the svchost.exe file of the following computers: 192.168.0.1 192.168.0.112 192.168.0.211 192.168.0.78 Which of the following should the security administrator report to upper management based on the above output?

Options

  • AAn NTP client side attack successfully exploited some hosts.
  • BA DNS cache poisoning successfully exploited some hosts.
  • CAn NTP server side attack successfully exploited some hosts.
  • DA DNS server side attack successfully exploited some hosts.

Explanation

UDP port 123 is used by NTP (Network Time Protocol). The packet capture shows two groups: some hosts querying the legitimate internal time server (time.company.com) and others - specifically those with svchost.exe hash mismatches - sending NTP requests to an external IP (172.60.3.0). The MD5 hash mismatch on svchost.exe indicates those hosts are compromised; malware modified the Windows service host process. The compromised hosts are redirecting NTP synchronization to an external rogue NTP server, which is characteristic of an NTP client-side attack where the client (victim host) is exploited and manipulated. A server-side attack would mean the NTP server itself was compromised.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-001 Practice