CS591 F2010 Final Review

The final exam will cover the following topics:

• Penetration Testing
  • What are 9 potential hacking steps of the hacking methodology discussed in "Hacking exposed" by McClure et al (See penetration testing viewgraph)?
  • How can the nmap detect the OS version?
  • How can the scanning tools evade the detection?
  • Explain how fpipe can be used to avoid blocking by the firewall.
  • How can netcat be used to set up a backdoor connection?
  • Assume a DNS server at DMZ LAN of Litya secure government site is compromised, how can a spy indirectly pass info out without establishing the direct communication to outside world. Note this is called covert channel.
  • How will this particular covert channel be detected?
• Firewall
  • Why the servers in DMZ are not allowed to initiate the connections to the systems in the intranet?
  • What would happen if a machine in Internet pings a machine in the intranet?
  • When should we use SNAT instead of MASQUERADE?
  • How DNAT is used? Is it applied in PREROUTING or POSTROUTING?
    
• IDS
  • With the possibility of the inside attack, where should IDS devices be located?
  • What are two basic types of IDS devices?
  • If a hacker changes the content of the TFN DDoS attack msg from "1234" to "haha", what will be the new snort rule, you will add?
  • The above scenario indicates the problems with IDS detection with specific patterns. If the attacker changes the content, the existing rules will produce false negatives. What is your solution to this.
  • Give three examples of designs or syntax in snort rules, that tries to improve the efficiency of intrusion detection process.
  • Explain how honeypot can be used to reduced the false positives to zero

Sample of Spring 2009 Final is available at http://cs.uccs.edu/~cs591/CS591F2009Final.docx