ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-002 All Questions

View all questions & answers for the CS0-002 exam
Go to Exam

Exam CS0-002 topic 1 question 330 discussion

Actual exam question from CompTIA's CS0-002
Question #: 330
Topic #: 1
[All CS0-002 Questions]

An analyst is reviewing the following output as part of an incident:



Which of the following is MOST likely happening?

  • A. The hosts are part of a reflective denial-of-service attack
  • B. Information is leaking from the memory of host 10.20.30.40
  • C. Sensitive data is being exfiltrated by host 192.168.1.10
  • D. Host 192.168.1.10 is performing firewall port knocking
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by talosDevbot at Feb. 27, 2023, 9:35 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Snkrsnaker1
Highly Voted 2 years, 2 months ago
Selected Answer: B
Answer B: 10.20.30.40 and 192.168.1.10 are both private IP addresses, which are used for internal networks. Since both IP's are private addresses, its not really exfiltrating data. Line 2 and 3 is what you want to be looking at. The request is Length 15, but ABCDEFJHIJ is only 10 CHARs in length, but you can see the reply is giving additional information, based on the length. Thats why the answer is B. If the request IP was coming from a publicly routable IP address, then the answer would be C.
upvoted 7 times
...
nawaf702
Most Recent 1 year, 9 months ago
Selected Answer: A
the answer is ((((A)))) I don't know what's going on with you guys check this https://www.akamai.com/glossary/what-is-icmp-flood-ddos-attack
upvoted 2 times
novolyus
1 year, 7 months ago
Nothing related with our case, but thanks.
upvoted 1 times
...
...
rmwilsn
2 years, 3 months ago
the answer is B. Please tell me how you can determine if this information is sensitive? C would not work in this scenario.
upvoted 2 times
...
Cookieman
2 years, 3 months ago
I asked ChatGPT what an ICMP tunneling request looks like and this is what it said Sure, here's an example log of a hypothetical ICMP tunneling echo request and reply: ICMP Request Log: Date/Time: 2022-09-01 10:15:20 Source IP: 192.168.1.10 Destination IP: 8.8.8.8 Protocol: ICMP Type: Echo Request Data: ABCDEFGHIJKLMNOPQRSTUVWXYZ
upvoted 1 times
...
khrid4
2 years, 3 months ago
Selected Answer: C
After considering points of other's comments, I'm still answering C. Ref: https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/ Not A - no spoofing takes place and actual traffic for source and destination is seen in the capture Not B - I never encountered information leak from memory making "network" actions. However, as for the output, even on the first line " ICMP ECHO REQUEST", the source already has the data ABCDEFGHIJK, surely this is not a leak from the destination (10.20.30.40) Not D - not relevant to the output log.
upvoted 2 times
Cookieman
2 years, 3 months ago
I agree with this based on example logs of ICMP tunneling
upvoted 1 times
...
...
OnA_Mule
2 years, 3 months ago
After reviewing again, I think answer B is the only one that makes sense. The ICMP response from 10.20.30.40 is corrupted, so it's possible that a memory leak on that host might trigger that.
upvoted 2 times
2Fish
2 years, 3 months ago
Agree. I see another response is stating this is Data Exfil possibly using ICMP Tunneling. However, ICMP tunneling is not commonly used and when it is used, it is deployed using special tools and is not done using the ping command.
upvoted 1 times
...
...
Kashim
2 years, 3 months ago
Selected Answer: B
Only "B. Information is leaking from the memory of host 10.20.30.40" has sense to me, as we dont known if the data is sensitive.
upvoted 2 times
...
talosDevbot
2 years, 4 months ago
Selected Answer: C
This is most likely data exfiltration using ICMP Tunneling (Google it for a better understanding)
upvoted 2 times
Kashim
2 years, 3 months ago
Therefore it should be "B. Information is leaking from the memory of host 10.20.30.40" as we dont known if the data is senstive.
upvoted 1 times
OnA_Mule
2 years, 3 months ago
A memory leak does not send data externally, so answer B doesn't make sense IMO
upvoted 1 times
OnA_Mule
2 years, 3 months ago
Changed my mind, since this is actually the response that is showing corruption...so B is probably correct.
upvoted 1 times
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel