312-49 Exam QuestionsBrowse all questions from this exam
Go to Exam

312-49 Exam - Question 6

A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker. Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log. Please note that you are required to infer only what is explicit in the excerpt.

(Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)

03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111

TCP TTL:43 TOS:0x0 ID:29726 IpLen:20 DgmLen:52 DF

***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32

TCP Options (3) => NOP NOP TS: 23678634 2878772 =+=+=+=+=+=+=+=+=+=+=+=+=+=

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111

UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84

Len: 64 -

01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 . .............

00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 . ..............

00 00 00 11 00 00 00 00 ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773

UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104

Len: 1084 -

47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8

Show Answer
Correct Answer: A

The logs show repeated connection attempts to port 111 on different IP addresses within the same subnet, which indicates the attacker was conducting a network sweep on port 111. Ports 111 and 32773 are commonly associated with network service enumeration, making it likely a network sweep was being performed to identify vulnerable systems.

Discussion

3 comments
Sign in to comment
Ariel235788Option: A
Dec 28, 2021

hard to argue on a sweep over port 111 due to the last line 03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773 but I will agree with this answer as the other choices won't work

nirvachiOption: A
Aug 6, 2023

To select something other than A you need more specific information about the attack type, in the output.

Bennoli13Option: B
Jun 13, 2024

I should disagree with the answer. Based on the log, the most explicit activity is: B. The attacker has scanned and exploited the system using Buffer Overflow The large UDP packet to port 32773 strongly suggests a buffer overflow exploit. Per my understanding, a network sweep would involve scanning multiple IP addresses, but here, the attacker targets specific ports on the same subnet.