Appendix D Flashcards
What port is utilised by Telnet
TCP/23
What are the main security concerns regarding Telnet
Doesn’t encrypt communications and / or passwords. Can sniff passwords with packet analyser.
Telnet has no authentication mechanisms to verify two communicating hosts.
No MitM protection. Multiple vulnerabilities relating to telnet daemons.
Vulnerable to brute force attacks.
What are the main security concerns of HTTP & HTTPS based management systems
Credentials can be transmitted insecurely over clear text protocols.
Can sniff passwords with packet analyser.
Web-based vulnerabilities: SQLi, XSS, Authentication Bypass.
Vulnerable to brute-force attacks.
What are the main security concerns of using SSH
Outdated versions of SSH are vulnerable to a range of issues.
SSH supported with CBC may allow attackers to recovery up to 32bits of plaintext from a block.
SSH servers can support weak hashing algorithms: MD5 or 96-bit MAC algorithms.
Vulnerable to brute-force attacks. Can support no authentication types.
What is SNMP
Simple Network Management Protocol.
Devices that typically support SNMP include routers, switches, servers, workstations, printers etc. SNMP is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.
What layer does SNMP operate on
Application (7)
What ports does SNMP utilise
UDP 161 & 162
What are the main security concerns of SNMP
Is a connectionless protocol, is vulnerable to IP Spoofing attacks. Authentication of clients is performed only by “community strings” instead of password. SNMP v1 and 2c “Community strings” are sent in clear text, susceptible to packet sniffing.
Vulnerable to brute-force attacks against community / authentication / encryption strings as they do not implement a challenge response handshake. SNMP default community strings public and private.
What is TFTP
Trivial File Transfer Protocol is a simple, lock-step, file transfer protocol which allows a client to get or put a file onto a remote host.
One of its primary uses is in the early stages of nodes booting from a Local Area Network. TFTP has been used for this application because it is very simple to implement.
What port is used by TFTP
UDP/69
What are the three modes of transfer used by TFTP
Netascii Octet Mail
What are the primary security concerns for TFTP
No authentication. Communications are sent in clear text format. Extract sensitive files if the filename and path is known / guessed.
What is Cisco Reverse Telnet
A Telnet client which has the ability to Telnet to one device remotely, then “reverse” out of the device’s port to control a device connected to that port. Can be used to access serially connected devices
What port does Cisco Reverse Telnet operate on
TCP 2000 + 1, 3, 4 (line number / port number)
What are the main vulnerabilities associated with Cisco Reverse Telnet
Doesn’t encrypt communications and / or passwords.
Can sniff passwords with packet analyser. Telnet has no authentication mechanisms to verify two communicating hosts.
No MitM protection.
Multiple vulnerabilities relating to telnet daemons.
Vulnerable to brute-force attacks.
What is NTP
Network Time Protocol - Used for synching time on servers
What port does NTP operate on
UDP/123
What are the main security concerns regarding NTP
Suscepticle to MitM attacks unless packets are signed for authentication.
Overhead can cause DoS scenario.
DDOS attacks can occur by sending commands to NTP server with spoofed return address.
Enumerate system information such as hostname, CPU, OS and Daemon.
What are the three main tools used for network traffic ananlysis
Wireshark, Cain & Abel and Ettercap
What is ARP
Address Resolution Protocol, converts network layer (3) addresses into link layer (2) addresses (MAC to IP)
What are the main security concerns regarding ARP
ARP Spoofing / Cache Poisoning
1) Attacker spoofs own MAC address to impersonate legitimate user.
2) Attacker broadcasts spoofed ARP messages onto network.
3) Recipient updates legitimate user details on ARP Cache with attackers details.
4) Traffic is intercepted.
ARP spoofing opens up what attack possibilities
DoS - Can drop packets. MitM - Traffic can be modified before forwarding it to destination. MAC Flooding - Flood switch with ARP message until it becomes a HUB.
What measures can be taken to prevent ARP spoofing
Static ARP Entries ARP Spoofing Detection Software. OS Security.
What does DHCP stand for
Dynamic Host Control Protocol
What ports are used by DHCP
UDP 67 to the server UDP 68 to the client
What are the main security concerns regarding DHCP
DHCP Spoofing (MitM) 1 - Attacker responds to DHCP request message faster than DHCP server. 2 - Attacker advertises as default gateway and DNS server. 3 - MitM attacker by intercepting traffic through impersonation.
DHCP Exhaustion (DoS) 1 - Attacker requests all IP Address from DHCP pool. 2 - Legitimate users can no longer obtain an IP Address.
What does CDP stand for
Cisco Discovery Protocol.
What are the main security concerns for CDP
1 - Information Disclosure
2 - CDP Cache Overflow - DoS when device receives too many CDP packets.
3 - CDP Cache Pollution - DoS when device becomes unusable due to fake information.
4 - Power Exhaustion - Switch reservers power and denies power to other devices.
What is HSRP
Cisco : Hot Standby Router Protocol
What port does HSRP use
UDP/1985
What are the main security concerns regarding HSRP
1 - DoS - Attacker sends HSRP packet with 255 priority to become Active router. Legitimate routers become Standby.
2 - MitM - If attacker is Active router, outbound traffic is intercepted.
3 - Information Disclosure - HSRP broadcasts all router IP Addresses.
What is VRRP
Virtual Routing Redundancy Protocol
What is VTP
Cisco : VLAN Trunking Protocol
What are the main security concerns regarding VTP
1 - No / Weak authentication
2 - Old version of VTP
3 - VTP enabled on all ports.
Can lead to:
+ - DoS - Can disable or delete a VLAN from one device on all VTP servers.
+ - DoS - Can create VLANs on all VTP servers, causing outdates and increased in multicast / broadcast traffic.
What is STP
Spanning Tree Protocol
How does STP determine priority
Root bridge is determined by lowest Bridge ID.
Bridge ID contains Priority + MAC= (32768.0200.0000.1111)
Priority default = 32768
What is BPDU
Bridge Protocol Data Unit
What are the main security concerns regarding STP
1 - Authentication-less
2 - MitM - Attackers can flood BPDUs with same priority as root bridge with a lower MAC address, to win root bridge election.
What is TACACS+
Cisco : Terminal Access Controller Access-Control System +
What port does TACACS+ use
TCP/49
TACACS+ supports an AAA architecture, what does this mean
Authentication = Validating identify of user
Authorisation = Granting access to user or device.
Accounting Services = Tracking user connectivity.
What are the main vulnerabilities associated with TACACS+
1 - Lack of integrity checking in Accounting.
2 - Replay attacks can duplicate records in Accounting.
3 - Reply packets could be decrypted.
4 - Lack of padding - Lengths of user passwords can be determined.
5 - Packet body length DoS / Overflow.
What is the SIP protocol
The Session Initiation Protocol (SIP) is a communications protocol for signaling and controlling multimedia communication sessions in applications of Internet telephony for voice and video calls, in private IP telephone systems, as well as in instant messaging over Internet Protocol (IP) networks. Commonly phoned on phone systems
What ports are used by SIP
Ports 5060 and 5061, both on TCP and UDP
What layer of the OSI model does SIP operate on
Layer 5 (Session Layer)
What are 5 architecture elements of SIP
User location, where the endpoint of a session can be identified and found, so that a session can be established
User availability, where the participant that’s being called has the opportunity and ability to indicate whether he or she wishes to engage in the communication
User capabilities, where the media that will be used in the communication is established, and the parameters of that media are agreed upon
Session setup, where the parameters of the session are negotiated and established
Session management, where the parameters of the session are modified, data is transferred, services are invoked, and the session is terminated
What are the 14 SIP requests
INVITE = Establishes a session. ACK = Confirms an INVITE request. BYE = Ends a session. CANCEL = Cancels establishing of a session. REGISTER = Communicates user location (host name, IP). OPTIONS = Communicates information about the capabilities of the calling and receiving SIP phones. PRACK = Provisional Acknowledgement. SUBSCRIBE = Subscribes for Notification from the notifier. NOTIFY = Notifies the subscriber of a new event. PUBLISH = Publishes an event to the Server. INFO = Sends mid session information. REFER = Asks the recipient to issue call transfer. MESSAGE = Transports Instant Messages. UPDATE = Modifies the state of a session.
What are the SIP responses
1xx = Informational responses, such as 180 (ringing). 2xx = Success responses. 3xx = Redirection responses. 4XX = Request failures. 5xx = Server errors. 6xx = Global failures.
What is RTP
The Real-Time Transport Protocol (RTP) is an Internet protocol standard that specifies a way for programs to manage the real-time transmission of multimedia data over either unicast or multicast network services. … RTP is commonly used in Internet telephony applications.
What is SCCP
The Signalling Connection Control Part (SCCP) is a network layer protocol that provides extended routing, flow control, segmentation, connection-orientation, and error correction facilities in Signaling System 7 telecommunications networks. SCCP relies on the services of MTP for basic routing and error detection.
What is SDP
The Session Description Protocol (SDP) is a format for describing streaming media communications parameters.
How do 802.11 networks compare
WLAN - Wireless Local Area Network
Standard of Wireless Networking: IEEE 802.11 (Institute of Electrical and Electronic Engineers).
802.11 is a data link layer protocol
802.11 are all half duplex.
How do the security features of 802.11 networks compare
Four Common 802.11 Variations:
802.11A
1 - 54 Mbits speed (megabits per second)
2 - 5 GHz frequency (Hertz)
3 - 150 feet distance.
802.11B
1 - 11 Mbits speed
2 - 2.4 GHz frequency (interference)
3 - 300 feet distance
802.11G
1 - 54 Mbits speed
2 - 2.4 GHz frequency (interference)
3 - 300 feet distance
802.11N (Popular)
1 - 54-600 Mbits speed
2 - 2.4 and 5 GHz frequency
3 - 230 feet.
What is WEP
Wireless Equivalency Privacy
Implemented in 802.11 standard.
+ Rivest Cipher 4 (RC4 Cipher) for confidentiality.
+ Cyclic Redundancy Check (CRC-32) for integrity.
What is TKIP
Temporal Key Integrity Protocol
Used by WPA.
+ Rivest Cipher 4 (RC4) for confidentiality.
+ 64bit Message Integrity Check (MIC) for integrity.
What is WPA
WPA
WiFi Protected Access
Implemented in 802.11i standard.
+ Temporal Key Integrity Protocol (TKIP) for confidentiality.
+ Michael message integrity algorithm for integrity.
What is WPA2
WPA2 WiFi Protected Access II Implemented in 802.i-2004 standard. Or Robust Security Network (RSN). \+ CCMP for confidentiality. \+ CBC-MAC for integrity.
What is EAP
Extensible Authentication Protocol
+ Cisco authentication framework providing functions and negotiations of different EAP methods.
- EAP-TLS
Extensible Authentication Protocol over Transport Layer Security (EAP-TLS)
+ EAP-TLS based on SSLv3.
+ EAP-TLS uses client-side certificates.
What is LEAP
LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. LEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control.
What is PEAP
Protected Extensible Authentication Protocol (PEAP)
+ PEAP is based on EAP-TLS
+ PEAP is designed to allow hybrid authentication.
Client Authentication:
1 - Username and password.
