CEH question

gcihgcih Member Posts: 6 ■□□□□□□□□□
I got this below question during the practice test. An answer with explaination would be welcome:

If an attacker changes her IP address to one already in use and attempts to open a TCP connection with another system on the network, what will likely happen?
A The original system that has the IP address used by the attacker will complete and accept all TCP connections initiated with other systems by the attacker.
B The network will block the packets due to IP header checksum errors.
C The original system that has the IP address used by the attacker will send a RESET to any SYN-ACK responses, tearing down the connection.
D An ACK storm will cause the connection to be torn down.



Thanks

Comments

  • f0rgiv3nf0rgiv3n Connection Overlord Member Posts: 598 ■■■■□□□□□□
    A The original system that has the IP address used by the attacker will complete and accept all TCP connections initiated with other systems by the attacker.
    - The original system wouldn't have any record of the session initiation so it probably wouldn't accept the incoming SYN-ACK.
    B The network will block the packets due to IP header checksum errors.
    - This is a bit too vague. What on the network would block you? It doesn't tell you there's a firewall or anything on the "network" that would be detecting IP header checkums and blocking you if there are errors.
    C The original system that has the IP address used by the attacker will send a RESET to any SYN-ACK responses, tearing down the connection.
    - This is my guess to the correct answer. What could happen would be the destination system would send a SYN-ACK back and if it ever got to the original system it would be like "what the hell dude, I didn't send you a SYN packet... kill that connection".

    D An ACK storm will cause the connection to be torn down.
    - This seems a bit weird, why would attempting to open a TCP connection cause an ACK storm? Also... ACK storm? Personally I haven't ever heard of an ACK storm (doesn't mean it doesn't exist but still...)


    This is a guess FYI so I could be wrong... Just showing you the way I would have picked apart the question.
  • gcihgcih Member Posts: 6 ■□□□□□□□□□
    Hi,
    ACK storm could happen during session hijacking ( Beware of ACK Storms - Penetration Testing and Network Defense )

    At first, i opted the last answer (ACK storm) but in there's NO session hijacking here. S you should be right.
    Moreover, the question has mentioned that attacker attempts to open a TCP connection with another systems which returns the SYN/ACK to victime.
    Cheers
  • f0rgiv3nf0rgiv3n Connection Overlord Member Posts: 598 ■■■■□□□□□□
    Well I don't know actually. Reading that article it talks about in the session hijacking you spoof the victim's IP and if you don't either DoS the victim's PC or use a "hunt" tool, you can cause an ACK storm.


    I think you're correct in stating D. Also in that article it states that using the "Hunt" tool it allows you to spoof the MAC address of the victim as well insuring you receive the ACK packets instead of the victim. Did the practice test have an answer and explanation? i'm curious now as well :)
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,257 Admin
    Because it's TCP the spoofer's sequence numbering had better match the spoofee's too.


    So where did this question originate from?
Sign In or Register to comment.