Appendix D

Question 1

What port is utilised by Telnet

Answer 1

TCP 23

Question 2

What are the main security concerns regarding Telnet

Answer 2

Doesn’t encrypt communications and / or passwords. Can sniff passwords with packet analyser. Telnet has no authentication mechanisms to verify two communicating hosts. No MitM protection. Multiple vulnerabilities relating to telnet daemons. Vulnerable to brute force attacks.

Question 3

What are the main security concerns of HTTP & HTTPS based management systems

Answer 3

Credentials can be transmitted insecurely over clear text protocols. Can sniff passwords with packet analyser. Web-based vulnerabilities: SQLi, XSS, Authentication Bypass. Vulnerable to brute-force attacks.

Question 4

What are the main security concerns of using SSH

Answer 4

Outdated versions of SSH are vulnerable to a range of issues. SSH supported with CBC may allow attackers to recovery up to 32bits of plaintext from a block. SSH servers can support weak hashing algorithms: MD5 or 96-bit MAC algorithms. Vulnerable to brute-force attacks. Can support no authentication types.

Question 5

What is SNMP

Answer 5

Simple Network Management Protocol. Devices that typically support SNMP include routers, switches, servers, workstations, printers etc. SNMP is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.

Question 6

What layer does SNMP operate on

Answer 6

Application (7)

Question 7

What ports does SNMP utilise

Answer 7

UDP 161 & 162

Question 8

What are the main security concerns of SNMP

Answer 8

Is a connectionless protocol, is vulnerable to IP Spoofing attacks. Authentication of clients is performed only by “community strings” instead of password. SNMP v1 and 2c “Community strings” are sent in clear text, susceptible to packet sniffing. Vulnerable to brute-force attacks against community / authentication / encryption strings as they do not implement a challenge response handshake. SNMP default community strings public and private.

Question 9

What is TFTP

Answer 9

Trivial File Transfer Protocol is a simple, lock-step, file transfer protocol which allows a client to get or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a Local Area Network. TFTP has been used for this application because it is very simple to implement.

Question 10

What port is used by TFTP

Answer 10

UDP 69

Question 11

What are the three modes of transfer used by TFTP

Answer 11

Netascii Octet Mail

Question 12

What are the primary security concerns for TFTP

Answer 12

No authentication. Communications are sent in clear text format. Extract sensitive files if the filename and path is known / guessed.

Question 13

What is Cisco Reverse Telnet

Answer 13

A Telnet client which has the ability to Telnet to one device remotely, then “reverse” out of the device’s port to control a device connected to that port. Can be used to access serially connected devices

Question 14

What port does Cisco Reverse Telnet operate on

Answer 14

TCP 2000 + 1, 3, 4 (line number / port number)

Question 15

What are the main vulnerabilities associated with Cisco Reverse Telnet

Answer 15

Doesn’t encrypt communications and / or passwords. Can sniff passwords with packet analyser. Telnet has no authentication mechanisms to verify two communicating hosts. No MitM protection. Multiple vulnerabilities relating to telnet daemons. Vulnerable to brute-force attacks.

Question 16

What is NTP

Answer 16

Network Time Protocol - Used for synching time on servers

Question 17

What port does NTP operate on

Answer 17

UDP 123

Question 18

What are the main security concerns regarding NTP

Answer 18

Suscepticle to MitM attacks unless packets are signed for authentication. Overhead can cause DoS scenario. DDOS attacks can occur by sending commands to NTP server with spoofed return address. Enumerate system information such as hostname, CPU, OS and Daemon.

Question 19

What are the three main tools used for network traffic ananlysis

Answer 19

Wireshark, Cain & Abel and Ettercap

Question 20

What is ARP

Answer 20

Address Resolution Protocol, converts network layer (3) addresses into link layer (2) addresses (MAC to IP)

Question 21

What are the main security concerns regarding ARP

Answer 21

ARP Spoofing / Cache Poisoning 1) Attacker spoofs own MAC address to impersonate legitimate user. 2) Attacker broadcasts spoofed ARP messages onto network. 3) Recipient updates legitimate user details on ARP Cache with attackers details. 4) Traffic is intercepted.

Question 22

ARP spoofing opens up what attack possibilities

Answer 22

DoS - Can drop packets. MitM - Traffic can be modified before forwarding it to destination. MAC Flooding - Flood switch with ARP message until it becomes a HUB.

Question 23

What measures can be taken to prevent ARP spoofing

Answer 23

Static ARP Entries ARP Spoofing Detection Software. OS Security.

Question 24

What does DHCP stand for

Answer 24

Dynamic Host Control Protocol

Question 25

What ports are used by DHCP

Answer 25

UDP 67 to the server UDP 68 to the client

Question 26

What are the main security concerns regarding DHCP

Answer 26

DHCP Spoofing (MitM) 1) Attacker responds to DHCP request message faster than DHCP server. 2) Attacker advertises as default gateway and DNS server. 3) MitM attacker by intercepting traffic through impersonation. DHCP Exhaustion (DoS) 1) Attacker requests all IP Address from DHCP pool. 2) Legitimate users can no longer obtain an IP Address.

Question 27

What does CDP stand for

Answer 27

Cisco Discovery Protocol

Question 28

What are the main security concerns for CDP

Answer 28

Information Disclosure CDP Cache Overflow - DoS when device receives too many CDP packets. CDP Cache Pollution - DoS when device becomes unusable due to fake information. Power Exhaustion - Switch reservers power and denies power to other devices.

Question 29

What is HSRP

Answer 29

Hot Standby Router Protocol is a proprietary protocol developed by Cisco which is used to establish a fault tolerant gateway through active and standby routers

Question 30

What port does HSRP use

Answer 30

UDP 1985

Question 31

What are the main security concerns regarding HSRP

Answer 31

DoS - Attacker sends HSRP packet with 255 priority to become Active router. Legitimate routers become Standby. MitM - If attacker is Active router, outbound traffic is intercepted. Information Disclosure - HSRP broadcasts all router IP Addresses.

Question 32

What is VRRP

Answer 32

Virtual Routing Redundancy Protocol, pretty much the same as HSRP

Question 33

What is VTP

Answer 33

VLAN Trunking Protocol, VTP allows central management and configuration of VLANs on all VTP devices from one device.

Question 34

What are the main security concerns regarding VTP

Answer 34

VTP misconfigurations such as No / Weak authentication Old version of VTP VTP enabled on all ports. Can lead to: DoS - Can disable or delete a VLAN from one device on all VTP servers. DoS - Can create VLANs on all VTP servers, causing outdates and increased in multicast / broadcast traffic.

Question 35

What is STP

Answer 35

Spanning Tree Protocol, prevents bridge loops and broadcast radiation. Includes spare redundant links to provide automatic backup paths if an active link fails.

Question 36

How does STP determine priority

Answer 36

Root bridge is determined by lowest Bridge ID. Bridge ID contains Priority + MAC= (32768.0200.0000.1111) Priority default = 32768 If two devices are tied priority, device with lowest MAC becomes Root Bridge.

Question 37

What is BDPU

Answer 37

Bridge Protocol Data Units, used to exchange information about bridge IDs and root path costs. Bridges send BPDU frames using its MAC address every 2 seconds.

Question 38

What are the main security concerns regarding STP

Answer 38

Authenticationless MitM - Attackers can flood BPDUs with same priority as root bridge with a lower MAC address, to win root bridge election.

Question 39

What is TACACS+

Answer 39

Terminal Access Controller Access Control System +, allows RAS to communicate with authentication server to determine if user has access to network

Question 40

What port does TACACS+ use

Answer 40

TCP 49

Question 41

TACACS+ supports an AAA architecture, what does this mean

Answer 41

Authentication = Validating identify of user Authorisation = Granting access to user or device. Accounting Services = Tracking user connectivity.

Question 42

What are the main vulnerabilities associated with TACACS+

Answer 42

Lack of integrity checking in Accounting. Replay attacks can duplicate records in Accounting. Reply packets could be decrypted. Lack of padding - Lengths of user passwords can be determined. Packet body length DoS / Overflow.

Question 43

What is the SIP protocol

Answer 43

Session Initiation Protocol is a signaling communications protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP networks.

Question 44

What ports are used by SIP

Answer 44

Insecure : TCP 5060 Secure : TCP 5061

Question 45

What layer of the OSI model does SIP operate on

Answer 45

Application (7)

Question 46

What are 5 architecture elements of SIP

Answer 46

User Agents (UA) - client that initiates a SIP session. Proxy server - receives SIP requests and routes to next hop. Redirect server - takes processing load from proxy server. Registrar server - maps URLs to location / IP Address Location server - Used by proxy/redirect to find UA location

Question 47

What are the 9 SIP requests

Answer 47

INVITE - initiates BYE - terminates OPTIONS - lists server request methods REGISTER - Registers location for UA. ACK - acknowledge INVITE CANCEL - cancels INVITE REFER - transfers UA resources SUBSCRIBE - Wants NOTIFY NOTIFY - transfers live information about state changes.

Question 48

What are the SIP responses

Answer 48

1xx - information responses 2xx - Successful responses 3xx - redirect responses 4xx - 6xx - failure responses.

Question 49

What is RTP

Answer 49

SIP employes RTP (Real-Time Transport Protocol) RTP carries media streams (audio and video). RTP includes RTCP (Real-Time Control Protocol. RTCP monitors QoS and conveys information of UAs. RTP and RTCP operate between UDP 1024 to 65535

Question 50

What is SCCP

Answer 50

Skinny Call Control Protocol uses RTP. Communicates IP phones and Cisco Unified Communications Manager. Owned by Cisco. - Clients: Cisco 7900 series, Cisco IP Communicator, 802,11b Wireless IP Phone, Cisco Unity Voicemail Server SCCP - TCP/2000 SCCPS - TCP/2443

Question 51

What is SDP

Answer 51

Session Description Protocol negotiates properties for encoding and decoding audio

Question 52

How do 802.11 networks compare

Answer 52

Question 53

How do the security features of 802.11 networks compare

Answer 53

Question 54

What is WEP

Answer 54

Wired Equivalent Privacy uses a 64/128 bit RC4 encryption key to encrypt the layer 2 data payload. This key comprises a 40/104 bit user defined key combined with a 24 bit Initialization Vector (IV) making the key either 64/128 bit

WEP is susceptible to the Fluhrer Mantin and Shamir (FMS) attack which uses encrypted output bytes to determine the most probable key bytes.

Question 55

What is TKIP

Answer 55

Temporal Key Integrity Protocol - A safer RC4 implementation, used in WPA Personal & Enterprise for authentication.

TKIP implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 initialization. Implements a 64-bit Message Integrity Check (MIC).

To be able to run on legacy WEP hardware with minor upgrades, TKIP uses RC4 as its cipher. TKIP also provides a rekeying mechanism. TKIP ensures that every data packet is sent with a unique encryption key.

Question 56

What is WPA

Answer 56

Wifi Protected Access utilises TKIP for both Personal and Enterprise.

WPA Personal uses an ASCII passphrase for authentication
WPA Enterprise uses a RADIUS server to authenticate users.

WPA implements a sequence counter to protect against replay attacks. Packets received out of order will be rejected by the access point.

Question 57

What is WPA2

Answer 57

Wifi Protected Access 2 utilises the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) to encrypt the data payload. CCMP is based on Advanced Encryption Standard (AES) processing and uses a 128-bit key and a 128-bit block size.

Question 58

What is EAP

Answer 58

Extensible Authentication Protocol is an authentication framework, not a specific authentication mechanism. It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined. Methods defined in IETF RFCs include EAP-MD5, EAP-POTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM, EAP-AKA and EAP-AKA’. Additionally a number of vendor-specific methods and new proposals exist.

Commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, LEAP and EAP-TTLS. Requirements for EAP methods used in wireless LAN authentication are described in RFC 4017.

The standard also describes the conditions under which the AAA key management requirements described in RFC 4962 can be satisfied.

Question 59

What is LEAP

Answer 59

Lightweight Extensible Authentication Protocol uses a modified version of MS-CHAP, an authentication protocol in which user credentials are not strongly protected and easily compromised; an exploit tool called ASLEAP was released in early 2004 by Joshua Wright.

Cisco recommends that customers who absolutely must use LEAP do so only with sufficiently complex passwords, though complex passwords are difficult to administer and enforce. Cisco’s current recommendation is to use newer and stronger EAP protocols such as EAP-FAST, PEAP, or EAP-TLS.

Question 60

What is PEAP

Answer 60

Protected Extensible Authentication Protocol encapsulates EAP within an encrypted and authenticated TLS tunnel. PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server.

It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server’s public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.