GAQM CPEH-001 Exam - Topic 6 Question 95 Discussion

Actual exam question for GAQM's CPEH-001 exam

Question #: 95
Topic #: 6

During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi-million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces?

AUse a ping flood against the IP of the sniffing NIC and look for latency in the responses.

BSend your attack traffic and look for it to be dropped by the IDS.

CSet your IP to that of the IDS and look for it as it attempts to knock your computer off the network.

DThe sniffing interface cannot be detected.

Show Suggested Answer

Suggested Answer: D

When a Nic is set to Promiscuous mode it just blindly takes whatever comes through to it network interface and sends it to the Application layer. This is why they are so hard to detect. Actually you could use ARP requests and Send them to every pc and the one which responds to all the requests can be identified as a NIC on Promiscuous mode and there are some very special programs that can do this for you. But considering the alternatives in the question the right answer has to be that the interface cannot be detected.

by Portia at Aug 24, 2024, 06:10 AM

Limited Time Offer

25%

Off

Get Premium CPEH-001 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Luz

3 months ago

I read somewhere that D might be true, but it seems unlikely.

upvoted 0 times

...

Rueben

3 months ago

Definitely C, that's a classic method!

upvoted 0 times

...

Dominga

3 months ago

Wait, the sniffing interface can't be detected? That sounds off.

upvoted 0 times

...

Julieta

4 months ago

Not sure about that, A could work too.

upvoted 0 times

...

Ricki

4 months ago

I think option B is the best way to detect it.

upvoted 0 times

...

Elliott

4 months ago

I vaguely remember that the sniffing interface is supposed to be unbound, which makes me think it might be hard to detect. Could option D be correct?

upvoted 0 times

...

Gerald

4 months ago

I’m a bit confused about the options. I feel like the sniffing interface should be detectable somehow, but I can't recall the exact method.

upvoted 0 times

...

Sue

4 months ago

I think I practiced a question similar to this where we had to identify how to interact with the IDS. Sending traffic might give us clues, right?

upvoted 0 times

...

Laurel

5 months ago

I remember something about using attack traffic to see if the IDS drops it, but I'm not sure if that's the best way to detect the sniffing interface.

upvoted 0 times

...

Basilia

5 months ago

I've got a strategy in mind. I'll focus on the details about the IDS configuration and try to come up with a way to detect the sniffing interface based on that information.

upvoted 0 times

...

Meaghan

5 months ago

I'm feeling a bit lost on this one. The different options don't seem very clear to me. I'll need to re-read the question and think it through step-by-step.

upvoted 0 times

...

Timmy

5 months ago

Hmm, I'm not sure about this one. The details about the IDS configuration have me a bit confused.

upvoted 0 times

...

Willodean

5 months ago

This question seems pretty straightforward. I think I can handle it.

upvoted 0 times

...

Erasmo

5 months ago

Okay, let me think this through. I'll need to carefully consider the information provided about the IDS setup and how to detect the sniffing interface.

upvoted 0 times

...

Vincent

5 months ago

This looks like a tricky question. I'll need to carefully review the details about the existing storage setup and the customer's requirements before deciding on the best approach.

upvoted 0 times

...

Brett

1 year ago

Haha, Option C is like something out of a cartoon. 'I'm the IDS, and I'm going to knock myself off the network!' Good one!

upvoted 0 times

Vincenza

1 year ago

Lisandra: That's true, using a ping flood could be effective.

upvoted 0 times

...

Antonio

1 year ago

I think Option A might be a more practical approach to detect the sniffing interface.

upvoted 0 times

...

Lisandra

1 year ago

Yeah, it does seem a bit unrealistic.

upvoted 0 times

...

Golda

1 year ago

Option C does sound pretty funny, like a cartoon!

upvoted 0 times

...

Howard

1 year ago

I'm going to have to go with Option A. Ping flooding the sniffing interface seems like the most reliable way to expose its existence.

upvoted 0 times

Jeffrey

1 year ago

Yeah, I would also choose Option A. It's a smart way to expose its existence.

upvoted 0 times

...

Jutta

1 year ago

Agreed, it seems like the most reliable way to detect the sniffing interface.

upvoted 0 times

...

Roslyn

1 year ago

I think Option A is the way to go. Ping flooding the sniffing interface sounds like a good plan.

upvoted 0 times

...

Mireya

1 year ago

I think D) The sniffing interface cannot be detected makes sense, as it is completely unbound from the TCP/IP stack by default.

upvoted 0 times

...

Ranee

1 year ago

Option C is just silly. Setting your IP to the IDS and expecting it to knock you off? That's not how it works, come on!

upvoted 0 times

Jaime

1 year ago

B) Send your attack traffic and look for it to be dropped by the IDS.

upvoted 0 times

...

Chantay

1 year ago

A) Use a ping flood against the IP of the sniffing NIC and look for latency in the responses.

upvoted 0 times

...

Arlene

1 year ago

D is probably the correct answer. The vendor likely designed the system to keep the sniffing interface hidden and undetectable.

upvoted 0 times

Kanisha

1 year ago

D) The sniffing interface cannot be detected.

upvoted 0 times

...

Stephaine

1 year ago

A) Use a ping flood against the IP of the sniffing NIC and look for latency in the responses.

upvoted 0 times

...

Nikita

1 year ago

I'm not sure, but I think C) Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network could also work.

upvoted 0 times

...

Dierdre

2 years ago

I disagree, I believe the answer is B) Send your attack traffic and look for it to be dropped by the IDS.

upvoted 0 times

...

Na

2 years ago

I'm going with Option B. If the IDS is configured as described, it should drop any attack traffic, which would be a clear sign of the sniffing interface.

upvoted 0 times

...

Chana

2 years ago

I think the answer is A) Use a ping flood against the IP of the sniffing NIC and look for latency in the responses.

upvoted 0 times

...

Bette

2 years ago

Option A seems the most straightforward way to detect the sniffing interface. Sending a ping flood should reveal the latency in the responses, indicating the presence of the sniffing NIC.

upvoted 0 times

Bettina

1 year ago

C) Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network.

upvoted 0 times

...

Lettie

1 year ago

B) Send your attack traffic and look for it to be dropped by the IDS.

upvoted 0 times

...

Amber

1 year ago

A) Use a ping flood against the IP of the sniffing NIC and look for latency in the responses.

upvoted 0 times

...