8.3 Following Data Through Layers 2, 3, and 4 Flashcards
Both hackers and security pros will use the method of __________ to gather data from a specific network in order to gain access to that network.
Both hackers and security pros will use the method of footprinting to gather data from a specific network in order to gain access to that network.
Footprinting can yield what information:
Physical addresses of devices within a network.
The IPs and ports that are being used or are accessible.
Network and network security devices being used.
Data is routed via switches to a physical machine address, known as a ____________________
Data is routed via switches to a physical machine address, known as a Media Access Control (MAC) address
A sequence of numbers such as 00:0c:29:0f:71:a3 that identifies the destination computer’s unique hardware number.
is called what?
Media Access Control (MAC) address
A sequence of numbers such as 00:0c:29:0f:71:a3 that identifies the destination computer’s unique hardware number.
is called what?
Media Access Control (MAC) address
To ensure data gets from LAN to machine, the ____________ maps the ___________ to an ____________ within the LAN.
The Address Resolution Protocol (ARP) maps the MAC address to an IP address within the LAN.
Entries added to the ARP cache are called ___________, meaning they can be changed with future ARP replies.
Entries added to the ARP cache are called dynamic ARP entries, meaning they can be changed with future ARP replies.
Dynamic ARP entries will only stay in the ARP cache for a limited period of time known as the ARP cache timeout.
When the ARP cache timeout expires, the record is removed from the ARP cache and any future requests for the host require a new ARP request.
ARC Spoofing
True or False
The hacker can send a spoof ARP message to the LAN, directing all traffic intended for the good host to the hacker’s MAC address.
True
After the attacker sends the spoof ARP message, all traffic originally destined for the good host is intercepted by the hacker’s device with the malicious MAC address.
True or False
Wireshark can detect and alert multiple MAC addresses associated with a single IP address, but it will not take any action on its own.
True
Instead, to counter ARP spoofing, a network administrator can create static ARP entries.
Static ARP Entries
True or False
Static ARP entries create permanent IP-to-MAC-address mappings in the ARP cache.
True
Unlike the dynamic ARP entries, these cannot be changed.
When footprinting, it’s important to check if an external host is _____________.
When footprinting, it’s important to check if an external host is operating and accepting connections.
What does ping stand for and what is it?
ping (Packet Inter-Network Groper) is a utility used to determine if a host is operating and accepting requests.
When we ping a host, it sends an _____________ echo request to a specific IP address and waits on a reply.
When we ping a host, it sends an Internet Control Message Protocol (ICMP) echo request to a specific IP address and waits on a reply.
ICMP is a protocol that network devices use to send error messages and operational information about whether a requested service or host can be reached.
What switch do use with ping to limit the results?
-c
Ex.
ping -c pepsi.com
What does this command do?
fping -s -g 107.191.96.26 107.191.96.32
Using fping will ping a range of IPs
What is traceroute?
Traceroute is a network diagnostic tool used to track in real-time the pathway taken by a packet on an IP network from source to destination, reporting the IP addresses of all the routers it pinged in between. Traceroute also records the time taken for each hop the packet makes during its route to the destination.
True or False
When data travels from a source to a destination, it typically follows a straight path.
When data travels from a source to a destination, it typically doesn’t follow a straight path.
Redirection of data transmissions are called ________.
Redirection of data transmissions are called hops.
True or False
Optimal routing paths are determined based on the “shortest path,” which is influenced by network topology.
True
Network administrators can use a command-line tool like _________ to troubleshoot networking communication issues between two devices and determine where the issues are in the hops.
Network administrators can use a command-line tool like traceroute to troubleshoot networking communication issues between two devices and determine where the issues are in the hops.
True or False
traceroute shows the route taken between two systems across a network.
True
In addition to troubleshooting connectivity issues, traceroute can be used to:
Display how systems are connected, or map the network.
Generate baseline profiles of the network.
Diagnose poor network performance issues.
ICMP and Time to Live (TTL)
Like ping, _________ also utilizes the ICMP protocol. It also shows the time taken to travel across each of these hops, from source to destination.
traceroute
The ICMP header contains a field called __________
The ICMP header contains a field called Time to Live (TTL)
TTL is an indicator of how long a data packet can exist in a network. TTL is utilized as a decrementing hop counter. Every router that forwards the packet decrements
(reduces) the TTL value by one.
If the starting TTL value of a data packet is five, and the data travels across two routers, the TTL will drop to ______.
Three
When the TTL count reaches zero, it sends a “time exceeded” error message back to the source address.
This prevents data from being stuck in an infinite loop if it’s unable to be delivered to the destination.
What the difference in syntax between Windows and Mac
Mac = traceroute
Windows = tracert
What is the most widely used protocals?
TCP (Transmission Control Protocol) is one of the most widely used protocols for data transmission.
TCO is a ______________ protocol, meaning the server must acknowledge it has received the request from the client.
It is a “connection-oriented” protocol, meaning the server must acknowledge it has received the request from the client.
True or False
With TCP, if the recipient doesn’t acknowledge the request, the sender assumes the request has not been received and will attempt to resend.
True
In TCP, the connection-oriented acknowledgment is known as the __________.
In TCP, the connection-oriented acknowledgment is known as the TCP Handshake.
True or False
TCP is used with familiar protocols such as HTTP, HTTPS, FTP, SSH, and SMTP.
True
TCP also ensures that all data is transmitted without errors, in the correct order.
What is a TCP three-way handshake?
The TCP three-way handshake is the process that lets both sides know data has been transmitted completely.
What is the Three-Way Handshake: Step by Step?
- SYN (synchronize): From client to server. Client sends a SYN data packet to the server to determine if it is ready to open a connection.
- SYN/ACK (synchronize/acknowledge): From server to client. The server acknowledges or confirms receipt of the SYN packet.
- ACK (acknowledge): From client to server. Client confirms receipt of the SYN/ACK packet.
- Once the handshake is successfully completed, the data transmission can begin.
Four-Way-Termination: Step by Step
- FIN (finish): From client to server. The client sends a FIN data packet to the server to close the connection.
- ACK: From server to client. The server acknowledges receipt of the FIN packet.
- FIN: From server to client. After the server terminates the connection, it sends a FIN packet.
- ACK: From client to server. The client acknowledges it has received the server’s FIN packet. The TCP termination process is complete.
What are the TCP downsides?
Retransmissions (when the server resends packets because the client does not acknowledge receipt) and the ordering of packets can cause delays during data transmissions.
In cases when every single packet of data does not need to be transmitted, TCP is not used. For example, streaming live video.
What situations where it’s not necessary for all data to reach the destination?
Sreaming
In cases when every single packet of data does not need to be transmitted, TCP is not used. For example, streaming live video.
For situations when it’s not necessary for all data to reach the destination, there is the User Datagram Protocol (UDP)
UDP is better for reducing latency versus transmitting all data.
UDP is a connectionless protocol—it doesn’t require a handshake to
transmit data.
UDP simply sends off the packets. Its attitude is: “If all the packets are received, great. If not, that’s okay too.”
True or False
The order of the setup for three-way hanshake is SYN-ACK, ACK, SYN
Setup: SYN, SYN-ACK, ACK
What’s the termination setp for a three-way handshake?
Termination: FIN, ACK, FIN, ACK
We can check for open ports on a network by sending a SYN request to every port on that network. If we receive a SYN/ACK response, we know the port is __________.
We can check for open ports on a network by sending a SYN request to every port on that network. If we receive a SYN/ACK response, we know the port is open.
True or False
The purpose of the SYN Scan is to determine the states of the ports on a network.
True
What are the threee main port states?
Open, closed and filtered
Open means the port is accepting connections.
Closed means it is not accepting connections.
Filtered means it may be open, but a firewall or another
network device is likely blocking it.
After doing a SYN scan, a total of 5 packets tells you what?
The port is open
After doing a SYN scan, a total of 2 packets tells you what?
Closed
After doing a SYN scan, seeing 1 packet tells you what?
Filtered
