CH 9 - Sniffing Flashcards

1
Q

Which hardware vendor uses the term SPAN on switches?

A. HP
B. 3COM
C. Cisco
D. Juniper

A

C.
Cisco

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

If you saw the following command line, what would you be capturing?

tcpdump -i eth2 host 192.168.10.5

A. Traffic just from 192.168.10.5
B. Traffic to and from 192.168.10.5
C. Traffic just to 192.168.10.5
D. All traffic other than from 192.168.10.5

A

B.
Traffic to and from 192.168.10.5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In the following packet, what port is the source port?

20:45:55.272087 IP
yazpistachio.lan.62882>
loft.lan.afs3-fileserver: Flags
[P.], seq 915235445:915235528,
ack 3437318287, win 2048, options
[nop,nop,TS val 1310611430 ecr
1794010423], length 83

A. 1310611430
B. 272087
C. 2048
D. 62882

A

D.
62882

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is one downside to running a default tcpdump without any parameters?

A. DNS requests
B. Not enough information
C. Sequence numbers don’t show
D. tcpdump not running without additional parameters

A

A.
DNS requests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

At which protocol layer does the Berkeley Packet Filter operate?

A. Internetwork
B. Transport
C. Data Link
D. Protocol

A

C.
Data Link

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What do we call an ARP response without a corresponding ARP request?

A. Is-at response
B. Who-has ARP
C. Gratuitous ARP
D. IP response

A

C.
Gratuitous ARP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which functionality in Wireshark will provide you with percentages for every protocol in the packet capture, ordered by protocol layers?

A. Conversations
B. Endpoints
C. Protocol hierarchy
D. Statistics view

A

C.
Protocol hierarchy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which program would you use if you wanted to only print specific fields from the captured packet?

A. fielddump
B. tcpdump
C. wiredump
D. tshark

A

D.
tshark

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The following shows a time stamp. What does the time of this message reflect?

630 41.897644 192.168.86.210 239.255.255.250 SSDP 750 NOTIFY * HTTP/1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]

A. The time since 1970
B. The time of day
C. The time since packet start
D. There is no time in the summary

A

C.
The time since packet start

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What protocol is being used in the frame listed in this summary?

719 42.691135 157.240.19.26 192.168.86.26 TCP 1464 443 → 61618 [ACK] Seq=4361 Ack=1276 Win=31232 Len=1398 TSval=3725556941 TSecr=1266252437 [TCP segment of a reassembled PDU]

A. TLS
B. UDP
C. IP
D. TCP

A

D.
TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What program could be used to perform spoofing attacks and also supports plugins?

A. arpspoof
B. fragroute
C. Ettercap
D. sslstrip

A

C.
Ettercap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What would you need to do before you could perform a DNS spoof attack using Ettercap?

A. Set up a port span
B. Start up Wireshark
C. ARP spoof
D. Configure sslstrip

A

C.
ARP spoof

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which command-line parameter would you use to disable name resolutions in tcpdump?

A. -n
B. -i
C. -r
D. -x

A

A.
-n

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Why might you have more endpoints shown at layer 4 than at layer 2?

A. Layer 4 multiplexes layer 2
B. Systems may initiate multiple connections to the same host
C. Ports are more numerous than MAC addresses
D. The IP addressess dictate the endpoints

A

B.
Systems may initiate multiple connections to the same host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What would you use sslstrip for?

A. Getting plaintext traffic
B. Removing all SSL requests
C. Converting SSL to TLS
D. Converting TLS to SSL

A

A.
Getting plaintext traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Why might you have problems with sslstrip?

A. sslstrip is deprecated
B. sslstrip doesn’t work with newer versions of TLS
C. sslstrip doesn’t support TLS
D. sslstrip works only with Ettercap

A

B.
sslstrip doesn’t work with newer versions of TLS

17
Q

What does the following line mean?

Sequence number: 4361 (relative sequence number)

A. The sequence number shown is not the real sequence number
B. The sequence number shown has not been incremented
C. The sequence number shown isn’t long enough
D. The sequence number shown is the acknowledgment number

A

A.
The sequence number shown is not the real sequence number

18
Q

What can you say about
[TCP Segment Len: 35],
as provided by Wireshark?

A. The window size has changed
B. Wireshark has inferred this information
C. Wireshark extracted this from one of the headers
D. Wireshark has additional detail below

A

B.
Wireshark has inferred this information

19
Q

What problem does port scanning overcome?

A. Switches don’t support layer 3
B. Switches aggregate ports
C. Switches filter traffic
D. Switches are unreliable

A

C.
Switches filter traffic

20
Q

What is the
/etc/ettercap/etter.dns
file used for?

A. Enabling firewall rules for Ettercap
B. Configuring hostnames to IP addresses
C. Setting up mail for Ettercap
D. Disabling ARP spoofing in Ettercap

A

B.
Configuring hostnames to IP addresses

21
Q

If you saw the following in your ifconfig output, what could you say is happening?

eth0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO>
ether 14:98:77:31:b2:33
inet6 fe80::10c6:713a:e86f:556d%en0 prefixlen 64 secured scopeid 0x7
inet 192.168.1.144 netmask 0xffffff00 broadcast 192.168.1.255
inet6 2601:18d:8b7f:e33a::52 prefixlen 64 dynamic
inet6 fd23:5d5f:cd75:40d2:87:38bc:9448:3407 prefixlen 64 autoconf secured
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
(1000baseT <full-duplex,flow-control,energy-efficient-ethernet>)
status: active

A. ARP spoofing attack
B. ARP flooding attack
C. Network sniffing
D. Man-in-the-middle attack

A

C.
Network sniffing

22
Q

Which of these would not be a result of a DHCP starvation attack for the victim?

A. Attacker getting a new IP address
B. Attacker setting default gateway
C. Attacker setting DNS server
D. Denial of service

A

A.
Attacker getting a new IP address

23
Q

If you suddenly saw a large number of DHCPDISCOVER packets on your network, what might you begin investigating?

A. ARP spoofing
B. Network sniffing
C. DHCP starvation attack
D. DNS poisioning

A

C.
DHCP starvation attack

24
Q

What network technology makes sniffing harder for attackers?

A. Hubs
B. DHCP
C. Switches
D. Mail servers

A

C.
Switches

25
Q

Your sslstrip session is not going well, what might you suspect?

A. The sessions are all SSL v3
B. The sessions are all TLS v1.0
C. The sessions are all TLS v1.1
D. The sessions are all TLS v1.3

A

D.
The sessions are all TLS v1.3