Appendix D Flashcards

1
Q

What port is utilised by Telnet

A

TCP 23

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the main security concerns regarding Telnet

A

Doesn’t encrypt communications and / or passwords. Can sniff passwords with packet analyser. Telnet has no authentication mechanisms to verify two communicating hosts. No MitM protection. Multiple vulnerabilities relating to telnet daemons. Vulnerable to brute force attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the main security concerns of HTTP & HTTPS based management systems

A

Credentials can be transmitted insecurely over clear text protocols. Can sniff passwords with packet analyser. Web-based vulnerabilities: SQLi, XSS, Authentication Bypass. Vulnerable to brute-force attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the main security concerns of using SSH

A

Outdated versions of SSH are vulnerable to a range of issues. SSH supported with CBC may allow attackers to recovery up to 32bits of plaintext from a block. SSH servers can support weak hashing algorithms: MD5 or 96-bit MAC algorithms. Vulnerable to brute-force attacks. Can support no authentication types.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is SNMP

A

Simple Network Management Protocol. Devices that typically support SNMP include routers, switches, servers, workstations, printers etc. SNMP is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What layer does SNMP operate on

A

Application (7)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What ports does SNMP utilise

A

UDP 161 & 162

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the main security concerns of SNMP

A

Is a connectionless protocol, is vulnerable to IP Spoofing attacks. Authentication of clients is performed only by “community strings” instead of password. SNMP v1 and 2c “Community strings” are sent in clear text, susceptible to packet sniffing. Vulnerable to brute-force attacks against community / authentication / encryption strings as they do not implement a challenge response handshake. SNMP default community strings public and private.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is TFTP

A

Trivial File Transfer Protocol is a simple, lock-step, file transfer protocol which allows a client to get or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a Local Area Network. TFTP has been used for this application because it is very simple to implement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What port is used by TFTP

A

UDP 69

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the three modes of transfer used by TFTP

A

Netascii Octet Mail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the primary security concerns for TFTP

A

No authentication. Communications are sent in clear text format. Extract sensitive files if the filename and path is known / guessed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Cisco Reverse Telnet

A

A Telnet client which has the ability to Telnet to one device remotely, then “reverse” out of the device’s port to control a device connected to that port. Can be used to access serially connected devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What port does Cisco Reverse Telnet operate on

A

TCP 2000 + 1, 3, 4 (line number / port number)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the main vulnerabilities associated with Cisco Reverse Telnet

A

Doesn’t encrypt communications and / or passwords. Can sniff passwords with packet analyser. Telnet has no authentication mechanisms to verify two communicating hosts. No MitM protection. Multiple vulnerabilities relating to telnet daemons. Vulnerable to brute-force attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is NTP

A

Network Time Protocol - Used for synching time on servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What port does NTP operate on

A

UDP 123

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the main security concerns regarding NTP

A

Suscepticle to MitM attacks unless packets are signed for authentication. Overhead can cause DoS scenario. DDOS attacks can occur by sending commands to NTP server with spoofed return address. Enumerate system information such as hostname, CPU, OS and Daemon.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the three main tools used for network traffic ananlysis

A

Wireshark, Cain & Abel and Ettercap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is ARP

A

Address Resolution Protocol, converts network layer (3) addresses into link layer (2) addresses (MAC to IP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the main security concerns regarding ARP

A

ARP Spoofing / Cache Poisoning 1) Attacker spoofs own MAC address to impersonate legitimate user. 2) Attacker broadcasts spoofed ARP messages onto network. 3) Recipient updates legitimate user details on ARP Cache with attackers details. 4) Traffic is intercepted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

ARP spoofing opens up what attack possibilities

A

DoS - Can drop packets. MitM - Traffic can be modified before forwarding it to destination. MAC Flooding - Flood switch with ARP message until it becomes a HUB.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What measures can be taken to prevent ARP spoofing

A

Static ARP Entries ARP Spoofing Detection Software. OS Security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What does DHCP stand for

A

Dynamic Host Control Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What ports are used by DHCP

A

UDP 67 to the server UDP 68 to the client

26
Q

What are the main security concerns regarding DHCP

A

DHCP Spoofing (MitM) 1) Attacker responds to DHCP request message faster than DHCP server. 2) Attacker advertises as default gateway and DNS server. 3) MitM attacker by intercepting traffic through impersonation. DHCP Exhaustion (DoS) 1) Attacker requests all IP Address from DHCP pool. 2) Legitimate users can no longer obtain an IP Address.

27
Q

What does CDP stand for

A

Cisco Discovery Protocol

28
Q

What are the main security concerns for CDP

A

Information Disclosure CDP Cache Overflow - DoS when device receives too many CDP packets. CDP Cache Pollution - DoS when device becomes unusable due to fake information. Power Exhaustion - Switch reservers power and denies power to other devices.

29
Q

What is HSRP

A

Hot Standby Router Protocol is a proprietary protocol developed by Cisco which is used to establish a fault tolerant gateway through active and standby routers

30
Q

What port does HSRP use

A

UDP 1985

31
Q

What are the main security concerns regarding HSRP

A

DoS - Attacker sends HSRP packet with 255 priority to become Active router. Legitimate routers become Standby. MitM - If attacker is Active router, outbound traffic is intercepted. Information Disclosure - HSRP broadcasts all router IP Addresses.

32
Q

What is VRRP

A

Virtual Routing Redundancy Protocol, pretty much the same as HSRP

33
Q

What is VTP

A

VLAN Trunking Protocol, VTP allows central management and configuration of VLANs on all VTP devices from one device.

34
Q

What are the main security concerns regarding VTP

A

VTP misconfigurations such as No / Weak authentication Old version of VTP VTP enabled on all ports. Can lead to: DoS - Can disable or delete a VLAN from one device on all VTP servers. DoS - Can create VLANs on all VTP servers, causing outdates and increased in multicast / broadcast traffic.

35
Q

What is STP

A

Spanning Tree Protocol, prevents bridge loops and broadcast radiation. Includes spare redundant links to provide automatic backup paths if an active link fails.

36
Q

How does STP determine priority

A

Root bridge is determined by lowest Bridge ID. Bridge ID contains Priority + MAC= (32768.0200.0000.1111) Priority default = 32768 If two devices are tied priority, device with lowest MAC becomes Root Bridge.

37
Q

What is BDPU

A

Bridge Protocol Data Units, used to exchange information about bridge IDs and root path costs. Bridges send BPDU frames using its MAC address every 2 seconds.

38
Q

What are the main security concerns regarding STP

A

Authenticationless MitM - Attackers can flood BPDUs with same priority as root bridge with a lower MAC address, to win root bridge election.

39
Q

What is TACACS+

A

Terminal Access Controller Access Control System +, allows RAS to communicate with authentication server to determine if user has access to network

40
Q

What port does TACACS+ use

A

TCP 49

41
Q

TACACS+ supports an AAA architecture, what does this mean

A

Authentication = Validating identify of user Authorisation = Granting access to user or device. Accounting Services = Tracking user connectivity.

42
Q

What are the main vulnerabilities associated with TACACS+

A

Lack of integrity checking in Accounting. Replay attacks can duplicate records in Accounting. Reply packets could be decrypted. Lack of padding - Lengths of user passwords can be determined. Packet body length DoS / Overflow.

43
Q

What is the SIP protocol

A

Session Initiation Protocol is a signaling communications protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP networks.

44
Q

What ports are used by SIP

A

Insecure : TCP 5060 Secure : TCP 5061

45
Q

What layer of the OSI model does SIP operate on

A

Application (7)

46
Q

What are 5 architecture elements of SIP

A

User Agents (UA) - client that initiates a SIP session. Proxy server - receives SIP requests and routes to next hop. Redirect server - takes processing load from proxy server. Registrar server - maps URLs to location / IP Address Location server - Used by proxy/redirect to find UA location

47
Q

What are the 9 SIP requests

A

INVITE - initiates BYE - terminates OPTIONS - lists server request methods REGISTER - Registers location for UA. ACK - acknowledge INVITE CANCEL - cancels INVITE REFER - transfers UA resources SUBSCRIBE - Wants NOTIFY NOTIFY - transfers live information about state changes.

48
Q

What are the SIP responses

A

1xx - information responses 2xx - Successful responses 3xx - redirect responses 4xx - 6xx - failure responses.

49
Q

What is RTP

A

SIP employes RTP (Real-Time Transport Protocol) RTP carries media streams (audio and video). RTP includes RTCP (Real-Time Control Protocol. RTCP monitors QoS and conveys information of UAs. RTP and RTCP operate between UDP 1024 to 65535

50
Q

What is SCCP

A

Skinny Call Control Protocol uses RTP. Communicates IP phones and Cisco Unified Communications Manager. Owned by Cisco. - Clients: Cisco 7900 series, Cisco IP Communicator, 802,11b Wireless IP Phone, Cisco Unity Voicemail Server SCCP - TCP/2000 SCCPS - TCP/2443

51
Q

What is SDP

A

Session Description Protocol negotiates properties for encoding and decoding audio

52
Q

How do 802.11 networks compare

A
53
Q

How do the security features of 802.11 networks compare

A
54
Q

What is WEP

A

Wired Equivalent Privacy uses a 64/128 bit RC4 encryption key to encrypt the layer 2 data payload. This key comprises a 40/104 bit user defined key combined with a 24 bit Initialization Vector (IV) making the key either 64/128 bit

WEP is susceptible to the Fluhrer Mantin and Shamir (FMS) attack which uses encrypted output bytes to determine the most probable key bytes.

55
Q

What is TKIP

A

Temporal Key Integrity Protocol - A safer RC4 implementation, used in WPA Personal & Enterprise for authentication.

TKIP implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 initialization. Implements a 64-bit Message Integrity Check (MIC).

To be able to run on legacy WEP hardware with minor upgrades, TKIP uses RC4 as its cipher. TKIP also provides a rekeying mechanism. TKIP ensures that every data packet is sent with a unique encryption key.

56
Q

What is WPA

A

Wifi Protected Access utilises TKIP for both Personal and Enterprise.

WPA Personal uses an ASCII passphrase for authentication
WPA Enterprise uses a RADIUS server to authenticate users.

WPA implements a sequence counter to protect against replay attacks. Packets received out of order will be rejected by the access point.

57
Q

What is WPA2

A

Wifi Protected Access 2 utilises the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) to encrypt the data payload. CCMP is based on Advanced Encryption Standard (AES) processing and uses a 128-bit key and a 128-bit block size.

58
Q

What is EAP

A

Extensible Authentication Protocol is an authentication framework, not a specific authentication mechanism. It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined. Methods defined in IETF RFCs include EAP-MD5, EAP-POTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM, EAP-AKA and EAP-AKA’. Additionally a number of vendor-specific methods and new proposals exist.

Commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, LEAP and EAP-TTLS. Requirements for EAP methods used in wireless LAN authentication are described in RFC 4017.

The standard also describes the conditions under which the AAA key management requirements described in RFC 4962 can be satisfied.

59
Q

What is LEAP

A

Lightweight Extensible Authentication Protocol uses a modified version of MS-CHAP, an authentication protocol in which user credentials are not strongly protected and easily compromised; an exploit tool called ASLEAP was released in early 2004 by Joshua Wright.

Cisco recommends that customers who absolutely must use LEAP do so only with sufficiently complex passwords, though complex passwords are difficult to administer and enforce. Cisco’s current recommendation is to use newer and stronger EAP protocols such as EAP-FAST, PEAP, or EAP-TLS.

60
Q

What is PEAP

A

Protected Extensible Authentication Protocol encapsulates EAP within an encrypted and authenticated TLS tunnel. PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server.

It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server’s public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.