Appendix D Flashcards
What port is utilised by Telnet
TCP 23
What are the main security concerns regarding Telnet
Doesn’t encrypt communications and / or passwords. Can sniff passwords with packet analyser. Telnet has no authentication mechanisms to verify two communicating hosts. No MitM protection. Multiple vulnerabilities relating to telnet daemons. Vulnerable to brute force attacks.
What are the main security concerns of HTTP & HTTPS based management systems
Credentials can be transmitted insecurely over clear text protocols. Can sniff passwords with packet analyser. Web-based vulnerabilities: SQLi, XSS, Authentication Bypass. Vulnerable to brute-force attacks.
What are the main security concerns of using SSH
Outdated versions of SSH are vulnerable to a range of issues. SSH supported with CBC may allow attackers to recovery up to 32bits of plaintext from a block. SSH servers can support weak hashing algorithms: MD5 or 96-bit MAC algorithms. Vulnerable to brute-force attacks. Can support no authentication types.
What is SNMP
Simple Network Management Protocol. Devices that typically support SNMP include routers, switches, servers, workstations, printers etc. SNMP is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.
What layer does SNMP operate on
Application (7)
What ports does SNMP utilise
UDP 161 & 162
What are the main security concerns of SNMP
Is a connectionless protocol, is vulnerable to IP Spoofing attacks. Authentication of clients is performed only by “community strings” instead of password. SNMP v1 and 2c “Community strings” are sent in clear text, susceptible to packet sniffing. Vulnerable to brute-force attacks against community / authentication / encryption strings as they do not implement a challenge response handshake. SNMP default community strings public and private.
What is TFTP
Trivial File Transfer Protocol is a simple, lock-step, file transfer protocol which allows a client to get or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a Local Area Network. TFTP has been used for this application because it is very simple to implement.
What port is used by TFTP
UDP 69
What are the three modes of transfer used by TFTP
Netascii Octet Mail
What are the primary security concerns for TFTP
No authentication. Communications are sent in clear text format. Extract sensitive files if the filename and path is known / guessed.
What is Cisco Reverse Telnet
A Telnet client which has the ability to Telnet to one device remotely, then “reverse” out of the device’s port to control a device connected to that port. Can be used to access serially connected devices
What port does Cisco Reverse Telnet operate on
TCP 2000 + 1, 3, 4 (line number / port number)
What are the main vulnerabilities associated with Cisco Reverse Telnet
Doesn’t encrypt communications and / or passwords. Can sniff passwords with packet analyser. Telnet has no authentication mechanisms to verify two communicating hosts. No MitM protection. Multiple vulnerabilities relating to telnet daemons. Vulnerable to brute-force attacks.
What is NTP
Network Time Protocol - Used for synching time on servers
What port does NTP operate on
UDP 123
What are the main security concerns regarding NTP
Suscepticle to MitM attacks unless packets are signed for authentication. Overhead can cause DoS scenario. DDOS attacks can occur by sending commands to NTP server with spoofed return address. Enumerate system information such as hostname, CPU, OS and Daemon.
What are the three main tools used for network traffic ananlysis
Wireshark, Cain & Abel and Ettercap
What is ARP
Address Resolution Protocol, converts network layer (3) addresses into link layer (2) addresses (MAC to IP)
What are the main security concerns regarding ARP
ARP Spoofing / Cache Poisoning 1) Attacker spoofs own MAC address to impersonate legitimate user. 2) Attacker broadcasts spoofed ARP messages onto network. 3) Recipient updates legitimate user details on ARP Cache with attackers details. 4) Traffic is intercepted.
ARP spoofing opens up what attack possibilities
DoS - Can drop packets. MitM - Traffic can be modified before forwarding it to destination. MAC Flooding - Flood switch with ARP message until it becomes a HUB.
What measures can be taken to prevent ARP spoofing
Static ARP Entries ARP Spoofing Detection Software. OS Security.
What does DHCP stand for
Dynamic Host Control Protocol
What ports are used by DHCP
UDP 67 to the server UDP 68 to the client
What are the main security concerns regarding DHCP
DHCP Spoofing (MitM) 1) Attacker responds to DHCP request message faster than DHCP server. 2) Attacker advertises as default gateway and DNS server. 3) MitM attacker by intercepting traffic through impersonation. DHCP Exhaustion (DoS) 1) Attacker requests all IP Address from DHCP pool. 2) Legitimate users can no longer obtain an IP Address.
What does CDP stand for
Cisco Discovery Protocol
What are the main security concerns for CDP
Information Disclosure CDP Cache Overflow - DoS when device receives too many CDP packets. CDP Cache Pollution - DoS when device becomes unusable due to fake information. Power Exhaustion - Switch reservers power and denies power to other devices.
What is HSRP
Hot Standby Router Protocol is a proprietary protocol developed by Cisco which is used to establish a fault tolerant gateway through active and standby routers
What port does HSRP use
UDP 1985
What are the main security concerns regarding HSRP
DoS - Attacker sends HSRP packet with 255 priority to become Active router. Legitimate routers become Standby. MitM - If attacker is Active router, outbound traffic is intercepted. Information Disclosure - HSRP broadcasts all router IP Addresses.
What is VRRP
Virtual Routing Redundancy Protocol, pretty much the same as HSRP
What is VTP
VLAN Trunking Protocol, VTP allows central management and configuration of VLANs on all VTP devices from one device.
What are the main security concerns regarding VTP
VTP misconfigurations such as No / Weak authentication Old version of VTP VTP enabled on all ports. Can lead to: DoS - Can disable or delete a VLAN from one device on all VTP servers. DoS - Can create VLANs on all VTP servers, causing outdates and increased in multicast / broadcast traffic.
What is STP
Spanning Tree Protocol, prevents bridge loops and broadcast radiation. Includes spare redundant links to provide automatic backup paths if an active link fails.
How does STP determine priority
Root bridge is determined by lowest Bridge ID. Bridge ID contains Priority + MAC= (32768.0200.0000.1111) Priority default = 32768 If two devices are tied priority, device with lowest MAC becomes Root Bridge.
What is BDPU
Bridge Protocol Data Units, used to exchange information about bridge IDs and root path costs. Bridges send BPDU frames using its MAC address every 2 seconds.
What are the main security concerns regarding STP
Authenticationless MitM - Attackers can flood BPDUs with same priority as root bridge with a lower MAC address, to win root bridge election.
What is TACACS+
Terminal Access Controller Access Control System +, allows RAS to communicate with authentication server to determine if user has access to network
What port does TACACS+ use
TCP 49
TACACS+ supports an AAA architecture, what does this mean
Authentication = Validating identify of user Authorisation = Granting access to user or device. Accounting Services = Tracking user connectivity.
What are the main vulnerabilities associated with TACACS+
Lack of integrity checking in Accounting. Replay attacks can duplicate records in Accounting. Reply packets could be decrypted. Lack of padding - Lengths of user passwords can be determined. Packet body length DoS / Overflow.
What is the SIP protocol
Session Initiation Protocol is a signaling communications protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP networks.
What ports are used by SIP
Insecure : TCP 5060 Secure : TCP 5061
What layer of the OSI model does SIP operate on
Application (7)
What are 5 architecture elements of SIP
User Agents (UA) - client that initiates a SIP session. Proxy server - receives SIP requests and routes to next hop. Redirect server - takes processing load from proxy server. Registrar server - maps URLs to location / IP Address Location server - Used by proxy/redirect to find UA location
What are the 9 SIP requests
INVITE - initiates BYE - terminates OPTIONS - lists server request methods REGISTER - Registers location for UA. ACK - acknowledge INVITE CANCEL - cancels INVITE REFER - transfers UA resources SUBSCRIBE - Wants NOTIFY NOTIFY - transfers live information about state changes.
What are the SIP responses
1xx - information responses 2xx - Successful responses 3xx - redirect responses 4xx - 6xx - failure responses.
What is RTP
SIP employes RTP (Real-Time Transport Protocol) RTP carries media streams (audio and video). RTP includes RTCP (Real-Time Control Protocol. RTCP monitors QoS and conveys information of UAs. RTP and RTCP operate between UDP 1024 to 65535
What is SCCP
Skinny Call Control Protocol uses RTP. Communicates IP phones and Cisco Unified Communications Manager. Owned by Cisco. - Clients: Cisco 7900 series, Cisco IP Communicator, 802,11b Wireless IP Phone, Cisco Unity Voicemail Server SCCP - TCP/2000 SCCPS - TCP/2443
What is SDP
Session Description Protocol negotiates properties for encoding and decoding audio
How do 802.11 networks compare
How do the security features of 802.11 networks compare
What is WEP
Wired Equivalent Privacy uses a 64/128 bit RC4 encryption key to encrypt the layer 2 data payload. This key comprises a 40/104 bit user defined key combined with a 24 bit Initialization Vector (IV) making the key either 64/128 bit
WEP is susceptible to the Fluhrer Mantin and Shamir (FMS) attack which uses encrypted output bytes to determine the most probable key bytes.
What is TKIP
Temporal Key Integrity Protocol - A safer RC4 implementation, used in WPA Personal & Enterprise for authentication.
TKIP implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 initialization. Implements a 64-bit Message Integrity Check (MIC).
To be able to run on legacy WEP hardware with minor upgrades, TKIP uses RC4 as its cipher. TKIP also provides a rekeying mechanism. TKIP ensures that every data packet is sent with a unique encryption key.
What is WPA
Wifi Protected Access utilises TKIP for both Personal and Enterprise.
WPA Personal uses an ASCII passphrase for authentication
WPA Enterprise uses a RADIUS server to authenticate users.
WPA implements a sequence counter to protect against replay attacks. Packets received out of order will be rejected by the access point.
What is WPA2
Wifi Protected Access 2 utilises the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) to encrypt the data payload. CCMP is based on Advanced Encryption Standard (AES) processing and uses a 128-bit key and a 128-bit block size.
What is EAP
Extensible Authentication Protocol is an authentication framework, not a specific authentication mechanism. It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined. Methods defined in IETF RFCs include EAP-MD5, EAP-POTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM, EAP-AKA and EAP-AKA’. Additionally a number of vendor-specific methods and new proposals exist.
Commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, LEAP and EAP-TTLS. Requirements for EAP methods used in wireless LAN authentication are described in RFC 4017.
The standard also describes the conditions under which the AAA key management requirements described in RFC 4962 can be satisfied.
What is LEAP
Lightweight Extensible Authentication Protocol uses a modified version of MS-CHAP, an authentication protocol in which user credentials are not strongly protected and easily compromised; an exploit tool called ASLEAP was released in early 2004 by Joshua Wright.
Cisco recommends that customers who absolutely must use LEAP do so only with sufficiently complex passwords, though complex passwords are difficult to administer and enforce. Cisco’s current recommendation is to use newer and stronger EAP protocols such as EAP-FAST, PEAP, or EAP-TLS.
What is PEAP
Protected Extensible Authentication Protocol encapsulates EAP within an encrypted and authenticated TLS tunnel. PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server.
It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server’s public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.
