Certified Ethical Hacker. Test 1
Question 1:
Session splicing is an IDS evasion technique that exploits how some IDSs do not
reconstruct sessions before performing pattern matching on the data. The idea behind
session splicing is to split data between several packets, ensuring that no single packet
matches any patterns within an IDS signature. Which tool can be used to perform
session splicing attacks?
● tcpsplice
● Burp
● Hydra
● Whisker
● (Correct)
Explanation
«Many IDS reassemble communication streams; hence, if a packet is not received
within a reasonable period, many IDS stop reassembling and handling that stream. If the
application under attack keeps a session active for a longer time than that spent by the
IDS on reassembling it, the IDS will stop. As a result, any session after the IDS stops
reassembling the sessions will be susceptible to malicious data theft by attackers. The
IDS will not log any attack attempt after a successful splicing attack. Attackers can use
tools such as Nessus for session splicing attacks.»
Did you know that the EC-Council exam shows how well you know their official book?
So, there is no "Whisker" in it. In the chapter "Evading IDS" -> "Session Splicing", the
recommended tool for performing a session-splicing attack is Nessus. Where Wisker
came from is not entirely clear, but I will assume the author of the question found it
while copying Wikipedia.
https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques
One basic technique is to split the attack payload into multiple small packets so that the
IDS must reassemble the packet stream to detect the attack. A simple way of splitting
packets is by fragmenting them, but an adversary can also simply craft packets with
small payloads. The 'whisker' evasion tool calls crafting packets with small payloads
'session splicing'.
,By itself, small packets will not evade any IDS that reassembles packet streams.
However, small packets can be further modified in order to complicate reassembly and
detection. One evasion technique is to pause between sending parts of the attack,
hoping that the IDS will time out before the target computer does. A second evasion
technique is to send the packets out of order, confusing simple packet re-assemblers
but not the target computer.
NOTE: Yes, I found scraps of information about the tool that existed in 2012, but I can
not give you unverified information. According to the official tutorials, the correct
answer is Nessus, but if you know anything about Wisker, please write in the QA
section. Maybe this question will be updated soon, but I'm not sure about that.
Incorrect answers:
tcpsplice https://github.com/the-tcpdump-group/tcpslice
A tool for extracting portions of packet trace files generated using tcpdump's -w flag.
https://www.tcpdump.org/
Burp https://portswigger.net/burp
Burp or Burp Suite is a set of tools used for penetration testing of web applications. It is
developed by the company named Portswigger.
Hydra https://en.wikipedia.org/wiki/Hydra_(software)
Hydra is a parallelized network logon cracker built in various operating systems like Kali
Linux, Parrot and other major penetration testing environments. Hydra works by using
different approaches to perform brute-force attacks in order to guess the right
username and password combination. Hydra is commonly used by penetration testers
together with a set of programmes like crunch, cupp etc, which are used to generate
wordlists. Hydra is then used to test the attacks using the wordlists that these
programmes created.
,Question 2:
Which of the following characteristics is not true about the Simple Object Access
Protocol?
● Exchanges data between web services.
● Only compatible with the application protocol HTTP.
● (Correct)
● Allows for any programming model.
● Using Extensible Markup Language.
Explanation
https://en.wikipedia.org/wiki/SOAP
SOAP can be used with any application-level protocol: SMTP, FTP, HTTP, HTTPS, etc.
However, its interaction with each of these protocols has its own characteristics, which
must be defined separately. Most often SOAP is used over HTTP.
SOAP (formerly an acronym for Simple Object Access Protocol) is a messaging
protocol specification for exchanging structured information in the implementation of
web services in computer networks. Its purpose is to provide extensibility, neutrality,
verbosity and independence. It uses XML Information Set for its message format, and
relies on application layer protocols, most often Hypertext Transfer Protocol (HTTP),
although some legacy systems communicate over Simple Mail Transfer Protocol
(SMTP), for message negotiation and transmission.
SOAP allows developers to invoke processes running on disparate operating systems
(such as Windows, macOS, and Linux) to authenticate, authorize, and communicate
using Extensible Markup Language (XML). Since Web protocols like HTTP are installed
and running on all operating systems, SOAP allows clients to invoke web services and
receive responses independent of language and platforms.
SOAP provides the Messaging Protocol layer of a web services protocol stack for web
services. It is an XML-based protocol consisting of three parts:
· an envelope, which defines the message structure and how to process it
· a set of encoding rules for expressing instances of application-defined datatypes
· a convention for representing procedure calls and responses
, SOAP has three major characteristics:
extensibility (security and WS-Addressing are among the extensions under
development)
neutrality (SOAP can operate over any protocol such as HTTP, SMTP, TCP, UDP)
independence (SOAP allows for any programming model)
As an example of what SOAP procedures can do, an application can send a SOAP
request to a server that has web services enabled—such as a real-estate price
database—with the parameters for a search. The server then returns a SOAP response
(an XML-formatted document with the resulting data), e.g., prices, location, features.
Since the generated data comes in a standardized machine-parsable format, the
requesting application can then integrate it directly.
Question 1:
Session splicing is an IDS evasion technique that exploits how some IDSs do not
reconstruct sessions before performing pattern matching on the data. The idea behind
session splicing is to split data between several packets, ensuring that no single packet
matches any patterns within an IDS signature. Which tool can be used to perform
session splicing attacks?
● tcpsplice
● Burp
● Hydra
● Whisker
● (Correct)
Explanation
«Many IDS reassemble communication streams; hence, if a packet is not received
within a reasonable period, many IDS stop reassembling and handling that stream. If the
application under attack keeps a session active for a longer time than that spent by the
IDS on reassembling it, the IDS will stop. As a result, any session after the IDS stops
reassembling the sessions will be susceptible to malicious data theft by attackers. The
IDS will not log any attack attempt after a successful splicing attack. Attackers can use
tools such as Nessus for session splicing attacks.»
Did you know that the EC-Council exam shows how well you know their official book?
So, there is no "Whisker" in it. In the chapter "Evading IDS" -> "Session Splicing", the
recommended tool for performing a session-splicing attack is Nessus. Where Wisker
came from is not entirely clear, but I will assume the author of the question found it
while copying Wikipedia.
https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques
One basic technique is to split the attack payload into multiple small packets so that the
IDS must reassemble the packet stream to detect the attack. A simple way of splitting
packets is by fragmenting them, but an adversary can also simply craft packets with
small payloads. The 'whisker' evasion tool calls crafting packets with small payloads
'session splicing'.
,By itself, small packets will not evade any IDS that reassembles packet streams.
However, small packets can be further modified in order to complicate reassembly and
detection. One evasion technique is to pause between sending parts of the attack,
hoping that the IDS will time out before the target computer does. A second evasion
technique is to send the packets out of order, confusing simple packet re-assemblers
but not the target computer.
NOTE: Yes, I found scraps of information about the tool that existed in 2012, but I can
not give you unverified information. According to the official tutorials, the correct
answer is Nessus, but if you know anything about Wisker, please write in the QA
section. Maybe this question will be updated soon, but I'm not sure about that.
Incorrect answers:
tcpsplice https://github.com/the-tcpdump-group/tcpslice
A tool for extracting portions of packet trace files generated using tcpdump's -w flag.
https://www.tcpdump.org/
Burp https://portswigger.net/burp
Burp or Burp Suite is a set of tools used for penetration testing of web applications. It is
developed by the company named Portswigger.
Hydra https://en.wikipedia.org/wiki/Hydra_(software)
Hydra is a parallelized network logon cracker built in various operating systems like Kali
Linux, Parrot and other major penetration testing environments. Hydra works by using
different approaches to perform brute-force attacks in order to guess the right
username and password combination. Hydra is commonly used by penetration testers
together with a set of programmes like crunch, cupp etc, which are used to generate
wordlists. Hydra is then used to test the attacks using the wordlists that these
programmes created.
,Question 2:
Which of the following characteristics is not true about the Simple Object Access
Protocol?
● Exchanges data between web services.
● Only compatible with the application protocol HTTP.
● (Correct)
● Allows for any programming model.
● Using Extensible Markup Language.
Explanation
https://en.wikipedia.org/wiki/SOAP
SOAP can be used with any application-level protocol: SMTP, FTP, HTTP, HTTPS, etc.
However, its interaction with each of these protocols has its own characteristics, which
must be defined separately. Most often SOAP is used over HTTP.
SOAP (formerly an acronym for Simple Object Access Protocol) is a messaging
protocol specification for exchanging structured information in the implementation of
web services in computer networks. Its purpose is to provide extensibility, neutrality,
verbosity and independence. It uses XML Information Set for its message format, and
relies on application layer protocols, most often Hypertext Transfer Protocol (HTTP),
although some legacy systems communicate over Simple Mail Transfer Protocol
(SMTP), for message negotiation and transmission.
SOAP allows developers to invoke processes running on disparate operating systems
(such as Windows, macOS, and Linux) to authenticate, authorize, and communicate
using Extensible Markup Language (XML). Since Web protocols like HTTP are installed
and running on all operating systems, SOAP allows clients to invoke web services and
receive responses independent of language and platforms.
SOAP provides the Messaging Protocol layer of a web services protocol stack for web
services. It is an XML-based protocol consisting of three parts:
· an envelope, which defines the message structure and how to process it
· a set of encoding rules for expressing instances of application-defined datatypes
· a convention for representing procedure calls and responses
, SOAP has three major characteristics:
extensibility (security and WS-Addressing are among the extensions under
development)
neutrality (SOAP can operate over any protocol such as HTTP, SMTP, TCP, UDP)
independence (SOAP allows for any programming model)
As an example of what SOAP procedures can do, an application can send a SOAP
request to a server that has web services enabled—such as a real-estate price
database—with the parameters for a search. The server then returns a SOAP response
(an XML-formatted document with the resulting data), e.g., prices, location, features.
Since the generated data comes in a standardized machine-parsable format, the
requesting application can then integrate it directly.
