Certmaster Explaining Transport Layer Protocols Flashcards

1
Q

A systems administrator needs network visibility to establish the logical topology of routers and subnets. Which of the following is a lightweight standalone tool which will allow the administrator to easily scan for IPs?

A.PRTG
B.IPAM
C.DDI
D.ManageEngine

A

A

IP scanning uses lightweight standalone open source or commercial tools, such as Nmap, AngryIP, or PRTG. An IP scanner is a tool that performs host discovery.

Enterprise network management suites will also be able to keep a record of inventory information about each host. This functionality is often known as IP Address Management (IPAM).

Suites that integrate with Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers are also known as DHCP, DNS, and IPAM (DDI).

DDI vendors and solutions include ManageEngine, Infoblox, SolarWinds, Bluecat, and Men & Mice. Windows Server bundles with a DDI product.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A security analyst is looking at traffic from older devices between ports 2,000 - 3,000. What is this traffic most likely?

A.Well-known applications
B.Dynamic use
C.Client ports
D.Sockets

A

C

OS implementations of Transmission Control Protocol/Internet Protocol (TCP/IP) have not always conformed to recommendations. For example, earlier versions of Windows and UNIX/Linux used 1,024—5,000 for client ports.

Port numbers 0 through 1,023 are preassigned by the Internet Assigned Numbers Authority (IANA) to “well-known” server applications.

The remaining ports (49,152 up to 65,535) are for private or dynamic use. Also, for the server application that needs a port, each client application must assign its own port number to track its requests.

The port number is used in conjunction with the source IP address to form a socket. Each socket is bound to a software process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A server administrator is analyzing a normal Transmission Control Protocol (TCP) Teardown connection to their servers. How many FIN-WAIT states does the client go through during this process?

A.One
B.Two
C.Three
D.Four

A

B

The client goes through two FIN-WAIT states. In the first step, the client sends a FIN segment to the server and then enters the FIN-WAIT1 state.

The client does not go through one FIN-WAIT state. After the client sends a FIN, the server responds with an ACK segment and enters the CLOSE-WAIT state.

The client does not go through three FIN-WAIT states. The third step occurs when the client receives the ACK segment and enters the FIN-WAIT2 state. This is the second and final FIN-WAIT state.

The client does not go through four FIN-WAIT states. After entering the second FIN-WAIT state, the client responds with an ACK and enters the TIME-WAIT state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A penetration tester has performed a quick service enumeration with Nmap and now wants to further enumerate the findings. Which parameter should the pen tester use in the command?

A.-sU
B.-sV
C.-sT
D.-sS

A

B

When services get discovered, the pen tester can use Nmap with the -sV switch to probe a host more intensively to discover the software or software version operating each port.

UDP scans (-sU) scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time.

TCP connect (-sT) is a half-open scan that requires Nmap to have privileged access to the network driver so that it can craft packets.

TCP SYN (-sS) is a fast technique (also referred to as half-open scanning) as the scanning host requests a connection without acknowledging it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A network administrator is looking at packet captures from the network and trying to isolate email traffic. Which of the following should the network administrator include? (Select all that apply.)

A.UDP 161
B.TCP 25
C.TCP 123
D.TCP 143

A

B, D

Transmission Control Protocol (TCP) 25 is Simple Mail Transfer Protocol (SMTP) traffic which the network administrator should include when searching for email traffic.

TCP 143 is Internet Message Access Protocol (IMAP) traffic which would also be email traffic, and the administrator should include it as well.

User Datagram Protocol (UDP) 161 is used for simple network management protocol (SNMP). UDP 161 is considered to be a common port, but is NOT used for email traffic.

TCP 123 is not a common protocol. UDP 123 is Network Time Protocol/Simple NTP. This allows hosts to sync and set a common time, which is especially important for security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A security analyst wants to reconstruct the packet contents for a Transmission Control Protocol (TCP) session in Wireshark. Which function should the security analyst use?

A.Statistics
B.Conversations
C.Follow TCP Stream
D.Protocol Hierarchy

A

C

A useful option is to use the Follow TCP Stream context command to reconstruct the packet contents for a TCP session.

In Wireshark, the security analyst can use the Statistics menu to access traffic analysis tools. Rather than reading each frame individually, the analyst uses the tool to monitor statistics related to communications flows.

Conversations in Wireshark allow the analyst to look at various protocol statistics such as Ethernet, IPv4, IPv6, TCP, and UDP.

The analyst can use the Protocol Hierarchy tool in Wireshark to view the most active protocols on a network link. This sort of report can baseline network activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A systems engineer is looking at running services on the company’s Linux hosts and wants to include ports in the listening state in the output. Which netstat switch should the engineer use?

A.-a
B.-u
C.-w
D.-x

A

A

Using the -a switch includes ports in the listening state in the output. The netstat command allows the administrator to check the state of ports on the local host.

Netstat allows the use of switches for Internet connections for Transmission Control Protocol (-t) and User Datagram Protocol (-u). The administrator can use netstat to check for service misconfigurations, such as a host running a web or File Transfer Protocol (FTP) server that a user installed without authorization.

Using the -w switch can view raw connections. The administrator may also be able to identify suspicious remote connections to services on the local host or from the host to remote IP addresses.

The -x switch can view UNIX sockets/local server ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A security analyst is reviewing UDP traffic headers. Which of the following is NOT a field in a UDP traffic header?

A.Source port
B.Destination Port
C.Window
D.Checksum

A

C

The window field is in Transmission Control Protocol (TCP) traffic, not User Datagram Protocol (UDP) traffic. It is the amount of data the host is willing to receive before sending another acknowledgment. TCP’s flow control mechanism means if it is getting overwhelmed, one side can slow the sending rate.

UDP traffic has a source port field, which can be set to zero if the destination computer doesn’t need to reply to the sender.

The UDP Destination Port refers to the port on the device receiving the traffic.

The checksum ensures the validity of the packet. It is also present in both TCP and UDP headers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A penetration tester wants to perform remote port scanning. Which Nmap scanning technique allows for a fast scan by having the scanning host request a connection without acknowledging it?

A.-sU
B.-sV
C.-sT
D.-sS

A

D

TCP SYN (-sS) is a fast technique (also referred to as half-open scanning) as the scanning host requests a connection without acknowledging it. The target’s response to the scan’s SYN packet identifies the port state.

UDP scans (-sU) scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time.

When services get discovered, the pen tester can use Nmap with the -sV switch to probe a host more intensively to discover the software or software version operating each port.

TCP connect (-sT) is a scan that requires Nmap to have privileged access to the network driver so that it can craft packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A security engineer is looking at Transmission Control Protocol (TCP) traffic headers. Which of the following allows the receiver to rebuild the message correctly?

A.Urgent pointer
B.Window
C.Ack number
D.Sequence number

A

D

The sequence number allows the receiver to rebuild the message correctly and deal with out-of-order packets.

If the system is sending the urgent pointer data, this specifies the end of that data in the segment.

The window is the amount of data the host is willing to receive before sending another acknowledgment. TCP’s flow control mechanism means if it is getting overwhelmed, one side can slow the sending rate.

The ack number is the sequence number of the next segment expected from the other host, that is, the sequence number of the last segment received plus 1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly