8.3 Following Data Through Layers 2, 3, and 4

Question 1

Both hackers and security pros will use the method of __________ to gather data from a specific network in order to gain access to that network.

Answer 1

Both hackers and security pros will use the method of footprinting to gather data from a specific network in order to gain access to that network.

Question 2

Footprinting can yield what information:

Answer 2

Physical addresses of devices within a network.

The IPs and ports that are being used or are accessible.

Network and network security devices being used.

Question 3

Data is routed via switches to a physical machine address, known as a ____________________

Answer 3

Data is routed via switches to a physical machine address, known as a Media Access Control (MAC) address

Question 4

A sequence of numbers such as 00:0c:29:0f:71:a3 that identifies the destination computer’s unique hardware number.
is called what?

Answer 4

Media Access Control (MAC) address

Question 5

A sequence of numbers such as 00:0c:29:0f:71:a3 that identifies the destination computer’s unique hardware number.
is called what?

Answer 5

Media Access Control (MAC) address

Question 6

To ensure data gets from LAN to machine, the ____________ maps the ___________ to an ____________ within the LAN.

Answer 6

The Address Resolution Protocol (ARP) maps the MAC address to an IP address within the LAN.

Question 7

Entries added to the ARP cache are called ___________, meaning they can be changed with future ARP replies.

Answer 7

Entries added to the ARP cache are called dynamic ARP entries, meaning they can be changed with future ARP replies.

Dynamic ARP entries will only stay in the ARP cache for a limited period of time known as the ARP cache timeout.

When the ARP cache timeout expires, the record is removed from the ARP cache and any future requests for the host require a new ARP request.

Question 8

ARC Spoofing

True or False

The hacker can send a spoof ARP message to the LAN, directing all traffic intended for the good host to the hacker’s MAC address.

Answer 8

True

After the attacker sends the spoof ARP message, all traffic originally destined for the good host is intercepted by the hacker’s device with the malicious MAC address.

Question 9

True or False

Wireshark can detect and alert multiple MAC addresses associated with a single IP address, but it will not take any action on its own.

Answer 9

True

Instead, to counter ARP spoofing, a network administrator can create static ARP entries.

Question 10

Static ARP Entries

True or False

Static ARP entries create permanent IP-to-MAC-address mappings in the ARP cache.

Answer 10

True

Unlike the dynamic ARP entries, these cannot be changed.

Question 11

When footprinting, it’s important to check if an external host is _____________.

Answer 11

When footprinting, it’s important to check if an external host is operating and accepting connections.

Question 12

What does ping stand for and what is it?

Answer 12

ping (Packet Inter-Network Groper) is a utility used to determine if a host is operating and accepting requests.

Question 13

When we ping a host, it sends an _____________ echo request to a specific IP address and waits on a reply.

Answer 13

When we ping a host, it sends an Internet Control Message Protocol (ICMP) echo request to a specific IP address and waits on a reply.

ICMP is a protocol that network devices use to send error messages and operational information about whether a requested service or host can be reached.

Question 14

What switch do use with ping to limit the results?

Answer 14

-c

Ex.

ping -c pepsi.com

Question 15

What does this command do?

fping -s -g 107.191.96.26 107.191.96.32

Answer 15

Using fping will ping a range of IPs

Question 16

What is traceroute?

Answer 16

Traceroute is a network diagnostic tool used to track in real-time the pathway taken by a packet on an IP network from source to destination, reporting the IP addresses of all the routers it pinged in between. Traceroute also records the time taken for each hop the packet makes during its route to the destination.

Question 17

True or False

When data travels from a source to a destination, it typically follows a straight path.

Answer 17

When data travels from a source to a destination, it typically doesn’t follow a straight path.

Question 18

Redirection of data transmissions are called ________.

Answer 18

Redirection of data transmissions are called hops.

Question 19

True or False

Optimal routing paths are determined based on the “shortest path,” which is influenced by network topology.

Answer 19

True

Question 20

Network administrators can use a command-line tool like _________ to troubleshoot networking communication issues between two devices and determine where the issues are in the hops.

Answer 20

Network administrators can use a command-line tool like traceroute to troubleshoot networking communication issues between two devices and determine where the issues are in the hops.

Question 21

True or False

traceroute shows the route taken between two systems across a network.

Answer 21

True

Question 22

In addition to troubleshooting connectivity issues, traceroute can be used to:

Answer 22

Display how systems are connected, or map the network.

Generate baseline profiles of the network.

Diagnose poor network performance issues.

Question 23

ICMP and Time to Live (TTL)

Like ping, _________ also utilizes the ICMP protocol. It also shows the time taken to travel across each of these hops, from source to destination.

Answer 23

traceroute

Question 24

The ICMP header contains a field called __________

Answer 24

The ICMP header contains a field called Time to Live (TTL)

TTL is an indicator of how long a data packet can exist in a network. TTL is utilized as a decrementing hop counter. Every router that forwards the packet decrements
(reduces) the TTL value by one.

Question 25

If the starting TTL value of a data packet is five, and the data travels across two routers, the TTL will drop to ______.

Answer 25

Three

When the TTL count reaches zero, it sends a “time exceeded” error message back to the source address.

This prevents data from being stuck in an infinite loop if it’s unable to be delivered to the destination.

Question 26

What the difference in syntax between Windows and Mac

Answer 26

Mac = traceroute

Windows = tracert

Question 27

What is the most widely used protocals?

Answer 27

TCP (Transmission Control Protocol) is one of the most widely used protocols for data transmission.

Question 28

TCO is a ______________ protocol, meaning the server must acknowledge it has received the request from the client.

Answer 28

It is a “connection-oriented” protocol, meaning the server must acknowledge it has received the request from the client.

Question 29

True or False

With TCP, if the recipient doesn’t acknowledge the request, the sender assumes the request has not been received and will attempt to resend.

Answer 29

True

Question 30

In TCP, the connection-oriented acknowledgment is known as the __________.

Answer 30

In TCP, the connection-oriented acknowledgment is known as the TCP Handshake.

Question 31

True or False

TCP is used with familiar protocols such as HTTP, HTTPS, FTP, SSH, and SMTP.

Answer 31

True

TCP also ensures that all data is transmitted without errors, in the correct order.

Question 32

What is a TCP three-way handshake?

Answer 32

The TCP three-way handshake is the process that lets both sides know data has been transmitted completely.

Question 33

What is the Three-Way Handshake: Step by Step?

Answer 33

1. SYN (synchronize): From client to server. Client sends a SYN data packet to the server to determine if it is ready to open a connection.
2. SYN/ACK (synchronize/acknowledge): From server to client. The server acknowledges or confirms receipt of the SYN packet.
3. ACK (acknowledge): From client to server. Client confirms receipt of the SYN/ACK packet.
4. Once the handshake is successfully completed, the data transmission can begin.

Question 34

Four-Way-Termination: Step by Step

Answer 34

1. FIN (finish): From client to server. The client sends a FIN data packet to the server to close the connection.
2. ACK: From server to client. The server acknowledges receipt of the FIN packet.
3. FIN: From server to client. After the server terminates the connection, it sends a FIN packet.
4. ACK: From client to server. The client acknowledges it has received the server’s FIN packet. The TCP termination process is complete.

Question 35

What are the TCP downsides?

Answer 35

Retransmissions (when the server resends packets because the client does not acknowledge receipt) and the ordering of packets can cause delays during data transmissions.

In cases when every single packet of data does not need to be transmitted, TCP is not used. For example, streaming live video.

Question 36

What situations where it’s not necessary for all data to reach the destination?

Answer 36

Sreaming

In cases when every single packet of data does not need to be transmitted, TCP is not used. For example, streaming live video.

Question 37

For situations when it’s not necessary for all data to reach the destination, there is the User Datagram Protocol (UDP)

Answer 37

UDP is better for reducing latency versus transmitting all data.

UDP is a connectionless protocol—it doesn’t require a handshake to
transmit data.

UDP simply sends off the packets. Its attitude is: “If all the packets are received, great. If not, that’s okay too.”

Question 38

True or False

The order of the setup for three-way hanshake is SYN-ACK, ACK, SYN

Answer 38

Setup: SYN, SYN-ACK, ACK

Question 39

What’s the termination setp for a three-way handshake?

Answer 39

Termination: FIN, ACK, FIN, ACK

Question 40

We can check for open ports on a network by sending a SYN request to every port on that network. If we receive a SYN/ACK response, we know the port is __________.

Answer 40

We can check for open ports on a network by sending a SYN request to every port on that network. If we receive a SYN/ACK response, we know the port is open.

Question 41

True or False

The purpose of the SYN Scan is to determine the states of the ports on a network.

Answer 41

True

Question 42

What are the threee main port states?

Answer 42

Open, closed and filtered

Open means the port is accepting connections.

Closed means it is not accepting connections.

Filtered means it may be open, but a firewall or another
network device is likely blocking it.

Question 43

After doing a SYN scan, a total of 5 packets tells you what?

Answer 43

The port is open

Question 44

After doing a SYN scan, a total of 2 packets tells you what?

Answer 44

Closed

Question 45

After doing a SYN scan, seeing 1 packet tells you what?

Answer 45

Filtered