CEH

Chapter 12: Session Hijacking 429

19. C. Although any of these options could be symptomatic of a DoS attack, the most common
    is slow performance.


20. A. During a SYN flood, the last step of the three-way handshake is missing, which means
    that after the SYN, SYN-ACK are performed, the final ACK is not received.

Chapter 12: Session Hijacking

1. C. Session hijacking focuses on the victim’s session. There are different ways of accomplish-
   ing this task, but the basic concept is the same. Be sure to know what constitutes a session
   hijack; the exam will expect you to be able to recognize one at first glance.


2. A. Julie is operating in the passive sense in this scenario. Sniffing traffic is a passive activity.


3. D. Man-in-the-middle (MITM) attacks are an exam favorite; just remember that the
   broader category of session hijacking encompasses MITM attacks. Any time you see a com-
   puter placed in the middle, you should immediately suspect MITM or session hijacking.


4. A. An excessive number of ARP broadcasts would indicate an ARP poisoning attack. The
   users reporting loss of connectivity may indicate an attempted session hijacking with a pos-
   sible DoS attack.


5. C. URLs, cookies, and hidden logins are all sources of session IDs.


6. C. Null values are used to increment the sequence numbers of packets between the victim
   and the host. The null packets are focused to the host machine in an effort to prepare for
   desynchronizing the client.


7. B. Source routing specifies the path the packets will take to their destination. Source rout-
   ing can give an attacker the flexibility to direct traffic around areas that may prevent traffic
   flow or redirect traffic in an undesired fashion.


8. B. Stealing session IDs is the main objective in web session hijacking. Session IDs allow
   the attacker to assume the role of the legitimate client without the time-consuming task of
   brute-forcing user logins or sniffing out authentication information.


9. A. A session ID coded directly into a URL is categorized as a URL-embedded session ID.
   Remnant session information left in a browser’s history can potentially lead to another user
   or attacker attempting to reuse an abandoned session.


10. D. The key portion of the question is that Julie is not receiving a response to her injected
    packets and commands. Although the sequence prediction does relate to TCP hijacking, the
    best answer is blind hijacking.


11. D. SSL is designed with many goals in mind; one of them is that it is not as vulnerable to
    session hijacking as the other protocols listed here.


12. A. IPSec provides encryption and other related services that can thwart the threat of session
    hijacking.

bapp01.indd 429 22-07-2014 10:56:36