GAQM CPEH-001 Exam - Topic 4 Question 14 Discussion

Actual exam question for GAQM's CPEH-001 exam

Question #: 14
Topic #: 4

Eric notices repeated probes to port 1080. He learns that the protocol being used is designed to allow a host outside of a firewall to connect transparently and securely through the firewall. He wonders if his firewall has been breached. What would be your inference?

AEric network has been penetrated by a firewall breach

BThe attacker is using the ICMP protocol to have a covert channel

CEric has a Wingate package providing FTP redirection on his network

DSomebody is using SOCKS on the network to communicate through the firewall

Show Suggested Answer

Suggested Answer: D

Port Description:

SOCKS. SOCKS port, used to support outbound tcp services (FTP, HTTP, etc). Vulnerable similar to FTP Bounce, in that attacker can connect to this port and bounce out to another internal host. Done to either reach a protected internal host or mask true source of attack. Listen for connection attempts to this port -- good sign of port scans, SOCKS-probes, or bounce attacks. Also a means to access restricted resources. Example: Bouncing off a MILNET gateway SOCKS port allows attacker to access web sites, etc. that were restricted only to.mil domain hosts.

by Pete at May 07, 2022, 01:16 AM

Limited Time Offer

25%

Off

Get Premium CPEH-001 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Galen

4 months ago

Wait, are we sure it's not something else?

upvoted 0 times

...

Charisse

4 months ago

Nah, it's probably just a misconfigured proxy.

upvoted 0 times

...

Rodrigo

4 months ago

I think it could be a breach, though.

upvoted 0 times

...

Bobbye

4 months ago

Definitely sounds like a SOCKS issue.

upvoted 0 times

...

Carmen

4 months ago

Port 1080 is commonly used for SOCKS.

upvoted 0 times

...

Maynard

5 months ago

I vaguely remember something about Wingate and FTP redirection, but I can't recall the details. Option C doesn't seem likely, though.

upvoted 0 times

...

Marleen

5 months ago

I feel like if Eric is seeing repeated probes, it could indicate a breach, but I don't want to jump to conclusions. Option A seems too definitive for me.

upvoted 0 times

...

Dong

5 months ago

I think I came across a practice question about covert channels using ICMP, but I don't recall the specifics. Option B might be a possibility, but it feels a bit off.

upvoted 0 times

...

Junita

5 months ago

I remember studying about port 1080 being associated with SOCKS, so option D seems plausible, but I'm not entirely sure if that's the only explanation.

upvoted 0 times

...

Chuck

5 months ago

Okay, let me think this through. The question is asking about restricting the number of subdirectories, so it's probably not -s or -n, which are more general options. I'm leaning towards -maxdepth, but I'll double-check the man page just to be sure.

upvoted 0 times

...

Flo

5 months ago

I think I've got a good handle on this. The trick is to work backwards from the loss on sale to find the proceeds. As long as I double-check my work, I should be able to nail this question.

upvoted 0 times

...

Lenna

5 months ago

Ah, this is a good one! The key here is remembering that /etc/passwd is the standard file that contains user account information, including the home directory and login shell. I'm pretty sure that's the right answer.

upvoted 0 times

...