Appendix D

Question 1

What port is utilised by Telnet

Answer 1

TCP/23

Question 2

What are the main security concerns regarding Telnet

Answer 2

Doesn’t encrypt communications and / or passwords. Can sniff passwords with packet analyser.

Telnet has no authentication mechanisms to verify two communicating hosts.

No MitM protection. Multiple vulnerabilities relating to telnet daemons.

Vulnerable to brute force attacks.

Question 3

What are the main security concerns of HTTP & HTTPS based management systems

Answer 3

Credentials can be transmitted insecurely over clear text protocols.

Can sniff passwords with packet analyser.

Web-based vulnerabilities: SQLi, XSS, Authentication Bypass.

Vulnerable to brute-force attacks.

Question 4

What are the main security concerns of using SSH

Answer 4

Outdated versions of SSH are vulnerable to a range of issues.

SSH supported with CBC may allow attackers to recovery up to 32bits of plaintext from a block.

SSH servers can support weak hashing algorithms: MD5 or 96-bit MAC algorithms.

Vulnerable to brute-force attacks. Can support no authentication types.

Question 5

What is SNMP

Answer 5

Simple Network Management Protocol.

Devices that typically support SNMP include routers, switches, servers, workstations, printers etc. SNMP is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.

Question 6

What layer does SNMP operate on

Answer 6

Application (7)

Question 7

What ports does SNMP utilise

Answer 7

UDP 161 & 162

Question 8

What are the main security concerns of SNMP

Answer 8

Is a connectionless protocol, is vulnerable to IP Spoofing attacks. Authentication of clients is performed only by “community strings” instead of password. SNMP v1 and 2c “Community strings” are sent in clear text, susceptible to packet sniffing.

Vulnerable to brute-force attacks against community / authentication / encryption strings as they do not implement a challenge response handshake. SNMP default community strings public and private.

Question 9

What is TFTP

Answer 9

Trivial File Transfer Protocol is a simple, lock-step, file transfer protocol which allows a client to get or put a file onto a remote host.

One of its primary uses is in the early stages of nodes booting from a Local Area Network. TFTP has been used for this application because it is very simple to implement.

Question 10

What port is used by TFTP

Answer 10

UDP/69

Question 11

What are the three modes of transfer used by TFTP

Answer 11

Netascii Octet Mail

Question 12

What are the primary security concerns for TFTP

Answer 12

No authentication. Communications are sent in clear text format. Extract sensitive files if the filename and path is known / guessed.

Question 13

What is Cisco Reverse Telnet

Answer 13

A Telnet client which has the ability to Telnet to one device remotely, then “reverse” out of the device’s port to control a device connected to that port. Can be used to access serially connected devices

Question 14

What port does Cisco Reverse Telnet operate on

Answer 14

TCP 2000 + 1, 3, 4 (line number / port number)

Question 15

What are the main vulnerabilities associated with Cisco Reverse Telnet

Answer 15

Doesn’t encrypt communications and / or passwords.

Can sniff passwords with packet analyser. Telnet has no authentication mechanisms to verify two communicating hosts.

No MitM protection.

Multiple vulnerabilities relating to telnet daemons.

Vulnerable to brute-force attacks.

Question 16

What is NTP

Answer 16

Network Time Protocol - Used for synching time on servers

Question 17

What port does NTP operate on

Answer 17

UDP/123

Question 18

What are the main security concerns regarding NTP

Answer 18

Suscepticle to MitM attacks unless packets are signed for authentication.

Overhead can cause DoS scenario.

DDOS attacks can occur by sending commands to NTP server with spoofed return address.

Enumerate system information such as hostname, CPU, OS and Daemon.

Question 19

What are the three main tools used for network traffic ananlysis

Answer 19

Wireshark, Cain & Abel and Ettercap

Question 20

What is ARP

Answer 20

Address Resolution Protocol, converts network layer (3) addresses into link layer (2) addresses (MAC to IP)

Question 21

What are the main security concerns regarding ARP

Answer 21

ARP Spoofing / Cache Poisoning

1) Attacker spoofs own MAC address to impersonate legitimate user.
2) Attacker broadcasts spoofed ARP messages onto network.
3) Recipient updates legitimate user details on ARP Cache with attackers details.
4) Traffic is intercepted.

Question 22

ARP spoofing opens up what attack possibilities

Answer 22

DoS - Can drop packets. MitM - Traffic can be modified before forwarding it to destination. MAC Flooding - Flood switch with ARP message until it becomes a HUB.

Question 23

What measures can be taken to prevent ARP spoofing

Answer 23

Static ARP Entries ARP Spoofing Detection Software. OS Security.

Question 24

What does DHCP stand for

Answer 24

Dynamic Host Control Protocol

Question 25

What ports are used by DHCP

Answer 25

UDP 67 to the server UDP 68 to the client

Question 26

What are the main security concerns regarding DHCP

Answer 26

DHCP Spoofing (MitM)
1 - Attacker responds to DHCP request message faster than DHCP server.
2 - Attacker advertises as default gateway and DNS server.
3 - MitM attacker by intercepting traffic through impersonation.

DHCP Exhaustion (DoS)
1 - Attacker requests all IP Address from DHCP pool.
2 - Legitimate users can no longer obtain an IP Address.

Question 27

What does CDP stand for

Answer 27

Cisco Discovery Protocol.

Question 28

What are the main security concerns for CDP

Answer 28

1 - Information Disclosure
2 - CDP Cache Overflow - DoS when device receives too many CDP packets.
3 - CDP Cache Pollution - DoS when device becomes unusable due to fake information.
4 - Power Exhaustion - Switch reservers power and denies power to other devices.

Question 29

What is HSRP

Answer 29

Cisco : Hot Standby Router Protocol

Question 30

What port does HSRP use

Answer 30

UDP/1985

Question 31

What are the main security concerns regarding HSRP

Answer 31

1 - DoS - Attacker sends HSRP packet with 255 priority to become Active router. Legitimate routers become Standby.

2 - MitM - If attacker is Active router, outbound traffic is intercepted.

3 - Information Disclosure - HSRP broadcasts all router IP Addresses.

Question 32

What is VRRP

Answer 32

Virtual Routing Redundancy Protocol

Question 33

What is VTP

Answer 33

Cisco : VLAN Trunking Protocol

Question 34

What are the main security concerns regarding VTP

Answer 34

1 - No / Weak authentication
2 - Old version of VTP
3 - VTP enabled on all ports.
Can lead to:
+ - DoS - Can disable or delete a VLAN from one device on all VTP servers.
+ - DoS - Can create VLANs on all VTP servers, causing outdates and increased in multicast / broadcast traffic.

Question 35

What is STP

Answer 35

Spanning Tree Protocol

Question 36

How does STP determine priority

Answer 36

Root bridge is determined by lowest Bridge ID.
Bridge ID contains Priority + MAC= (32768.0200.0000.1111)
Priority default = 32768

Question 37

What is BPDU

Answer 37

Bridge Protocol Data Unit

Question 38

What are the main security concerns regarding STP

Answer 38

1 - Authentication-less
2 - MitM - Attackers can flood BPDUs with same priority as root bridge with a lower MAC address, to win root bridge election.

Question 39

What is TACACS+

Answer 39

Cisco : Terminal Access Controller Access-Control System +

Question 40

What port does TACACS+ use

Answer 40

TCP/49

Question 41

TACACS+ supports an AAA architecture, what does this mean

Answer 41

Authentication = Validating identify of user
Authorisation = Granting access to user or device.
Accounting Services = Tracking user connectivity.

Question 42

What are the main vulnerabilities associated with TACACS+

Answer 42

1 - Lack of integrity checking in Accounting.
2 - Replay attacks can duplicate records in Accounting.
3 - Reply packets could be decrypted.
4 - Lack of padding - Lengths of user passwords can be determined.
5 - Packet body length DoS / Overflow.

Question 43

What is the SIP protocol

Answer 43

The Session Initiation Protocol (SIP) is a communications protocol for signaling and controlling multimedia communication sessions in applications of Internet telephony for voice and video calls, in private IP telephone systems, as well as in instant messaging over Internet Protocol (IP) networks. Commonly phoned on phone systems

Question 44

What ports are used by SIP

Answer 44

Ports 5060 and 5061, both on TCP and UDP

Question 45

What layer of the OSI model does SIP operate on

Answer 45

Layer 5 (Session Layer)

Question 46

What are 5 architecture elements of SIP

Answer 46

User location, where the endpoint of a session can be identified and found, so that a session can be established

User availability, where the participant that’s being called has the opportunity and ability to indicate whether he or she wishes to engage in the communication

User capabilities, where the media that will be used in the communication is established, and the parameters of that media are agreed upon

Session setup, where the parameters of the session are negotiated and established

Session management, where the parameters of the session are modified, data is transferred, services are invoked, and the session is terminated

Question 47

What are the 14 SIP requests

Answer 47

INVITE = Establishes a session.
ACK = Confirms an INVITE request.
BYE = Ends a session.
CANCEL = Cancels establishing of a session.
REGISTER = Communicates user location (host name, IP).
OPTIONS = Communicates information about the capabilities of the calling and receiving SIP phones.
PRACK = Provisional Acknowledgement.
SUBSCRIBE = Subscribes for Notification from the notifier.
NOTIFY = Notifies the subscriber of a new event.
PUBLISH = Publishes an event to the Server.
INFO = Sends mid session information.
REFER = Asks the recipient to issue call transfer.
MESSAGE = Transports Instant Messages.
UPDATE = Modifies the state of a session.

Question 48

What are the SIP responses

Answer 48

1xx = Informational responses, such as 180 (ringing).
2xx = Success responses.
3xx = Redirection responses.
4XX = Request failures.
5xx = Server errors.
6xx = Global failures.

Question 49

What is RTP

Answer 49

The Real-Time Transport Protocol (RTP) is an Internet protocol standard that specifies a way for programs to manage the real-time transmission of multimedia data over either unicast or multicast network services. … RTP is commonly used in Internet telephony applications.

Question 50

What is SCCP

Answer 50

The Signalling Connection Control Part (SCCP) is a network layer protocol that provides extended routing, flow control, segmentation, connection-orientation, and error correction facilities in Signaling System 7 telecommunications networks. SCCP relies on the services of MTP for basic routing and error detection.

Question 51

What is SDP

Answer 51

The Session Description Protocol (SDP) is a format for describing streaming media communications parameters.

Question 52

How do 802.11 networks compare

Answer 52

WLAN - Wireless Local Area Network
Standard of Wireless Networking: IEEE 802.11 (Institute of Electrical and Electronic Engineers).
802.11 is a data link layer protocol
802.11 are all half duplex.

Question 53

How do the security features of 802.11 networks compare

Answer 53

Four Common 802.11 Variations:

802.11A
1 - 54 Mbits speed (megabits per second)
2 - 5 GHz frequency (Hertz)
3 - 150 feet distance.

802.11B
1 - 11 Mbits speed
2 - 2.4 GHz frequency (interference)
3 - 300 feet distance

802.11G
1 - 54 Mbits speed
2 - 2.4 GHz frequency (interference)
3 - 300 feet distance

802.11N (Popular)
1 - 54-600 Mbits speed
2 - 2.4 and 5 GHz frequency
3 - 230 feet.

Question 54

What is WEP

Answer 54

Wireless Equivalency Privacy
Implemented in 802.11 standard.
+ Rivest Cipher 4 (RC4 Cipher) for confidentiality.
+ Cyclic Redundancy Check (CRC-32) for integrity.

Question 55

What is TKIP

Answer 55

Temporal Key Integrity Protocol
Used by WPA.
+ Rivest Cipher 4 (RC4) for confidentiality.
+ 64bit Message Integrity Check (MIC) for integrity.

Question 56

What is WPA

Answer 56

WPA
WiFi Protected Access
Implemented in 802.11i standard.
+ Temporal Key Integrity Protocol (TKIP) for confidentiality.
+ Michael message integrity algorithm for integrity.

Question 57

What is WPA2

Answer 57

WPA2
WiFi Protected Access II
Implemented in 802.i-2004 standard. Or Robust Security Network (RSN).
\+ CCMP for confidentiality.
\+ CBC-MAC for integrity.

Question 58

What is EAP

Answer 58

Extensible Authentication Protocol
+ Cisco authentication framework providing functions and negotiations of different EAP methods.

• EAP-TLS
  Extensible Authentication Protocol over Transport Layer Security (EAP-TLS)
  + EAP-TLS based on SSLv3.
  + EAP-TLS uses client-side certificates.

Question 59

What is LEAP

Answer 59

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. LEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control.

Question 60

What is PEAP

Answer 60

Protected Extensible Authentication Protocol (PEAP)
+ PEAP is based on EAP-TLS
+ PEAP is designed to allow hybrid authentication.

Client Authentication:
1 - Username and password.