CH 9 - Sniffing Flashcards
Which hardware vendor uses the term SPAN on switches?
A. HP
B. 3COM
C. Cisco
D. Juniper
C.
Cisco
If you saw the following command line, what would you be capturing?
tcpdump -i eth2 host 192.168.10.5
A. Traffic just from 192.168.10.5
B. Traffic to and from 192.168.10.5
C. Traffic just to 192.168.10.5
D. All traffic other than from 192.168.10.5
B.
Traffic to and from 192.168.10.5
In the following packet, what port is the source port?
20:45:55.272087 IP
yazpistachio.lan.62882>
loft.lan.afs3-fileserver: Flags
[P.], seq 915235445:915235528,
ack 3437318287, win 2048, options
[nop,nop,TS val 1310611430 ecr
1794010423], length 83
A. 1310611430
B. 272087
C. 2048
D. 62882
D.
62882
What is one downside to running a default tcpdump without any parameters?
A. DNS requests
B. Not enough information
C. Sequence numbers don’t show
D. tcpdump not running without additional parameters
A.
DNS requests
At which protocol layer does the Berkeley Packet Filter operate?
A. Internetwork
B. Transport
C. Data Link
D. Protocol
C.
Data Link
What do we call an ARP response without a corresponding ARP request?
A. Is-at response
B. Who-has ARP
C. Gratuitous ARP
D. IP response
C.
Gratuitous ARP
Which functionality in Wireshark will provide you with percentages for every protocol in the packet capture, ordered by protocol layers?
A. Conversations
B. Endpoints
C. Protocol hierarchy
D. Statistics view
C.
Protocol hierarchy
Which program would you use if you wanted to only print specific fields from the captured packet?
A. fielddump
B. tcpdump
C. wiredump
D. tshark
D.
tshark
The following shows a time stamp. What does the time of this message reflect?
630 41.897644 192.168.86.210 239.255.255.250 SSDP 750 NOTIFY * HTTP/1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
A. The time since 1970
B. The time of day
C. The time since packet start
D. There is no time in the summary
C.
The time since packet start
What protocol is being used in the frame listed in this summary?
719 42.691135 157.240.19.26 192.168.86.26 TCP 1464 443 → 61618 [ACK] Seq=4361 Ack=1276 Win=31232 Len=1398 TSval=3725556941 TSecr=1266252437 [TCP segment of a reassembled PDU]
A. TLS
B. UDP
C. IP
D. TCP
D.
TCP
What program could be used to perform spoofing attacks and also supports plugins?
A. arpspoof
B. fragroute
C. Ettercap
D. sslstrip
C.
Ettercap
What would you need to do before you could perform a DNS spoof attack using Ettercap?
A. Set up a port span
B. Start up Wireshark
C. ARP spoof
D. Configure sslstrip
C.
ARP spoof
Which command-line parameter would you use to disable name resolutions in tcpdump?
A. -n
B. -i
C. -r
D. -x
A.
-n
Why might you have more endpoints shown at layer 4 than at layer 2?
A. Layer 4 multiplexes layer 2
B. Systems may initiate multiple connections to the same host
C. Ports are more numerous than MAC addresses
D. The IP addressess dictate the endpoints
B.
Systems may initiate multiple connections to the same host
What would you use sslstrip for?
A. Getting plaintext traffic
B. Removing all SSL requests
C. Converting SSL to TLS
D. Converting TLS to SSL
A.
Getting plaintext traffic
Why might you have problems with sslstrip?
A. sslstrip is deprecated
B. sslstrip doesn’t work with newer versions of TLS
C. sslstrip doesn’t support TLS
D. sslstrip works only with Ettercap
B.
sslstrip doesn’t work with newer versions of TLS
What does the following line mean?
Sequence number: 4361 (relative sequence number)
A. The sequence number shown is not the real sequence number
B. The sequence number shown has not been incremented
C. The sequence number shown isn’t long enough
D. The sequence number shown is the acknowledgment number
A.
The sequence number shown is not the real sequence number
What can you say about
[TCP Segment Len: 35],
as provided by Wireshark?
A. The window size has changed
B. Wireshark has inferred this information
C. Wireshark extracted this from one of the headers
D. Wireshark has additional detail below
B.
Wireshark has inferred this information
What problem does port scanning overcome?
A. Switches don’t support layer 3
B. Switches aggregate ports
C. Switches filter traffic
D. Switches are unreliable
C.
Switches filter traffic
What is the
/etc/ettercap/etter.dns
file used for?
A. Enabling firewall rules for Ettercap
B. Configuring hostnames to IP addresses
C. Setting up mail for Ettercap
D. Disabling ARP spoofing in Ettercap
B.
Configuring hostnames to IP addresses
If you saw the following in your ifconfig output, what could you say is happening?
eth0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO>
ether 14:98:77:31:b2:33
inet6 fe80::10c6:713a:e86f:556d%en0 prefixlen 64 secured scopeid 0x7
inet 192.168.1.144 netmask 0xffffff00 broadcast 192.168.1.255
inet6 2601:18d:8b7f:e33a::52 prefixlen 64 dynamic
inet6 fd23:5d5f:cd75:40d2:87:38bc:9448:3407 prefixlen 64 autoconf secured
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
(1000baseT <full-duplex,flow-control,energy-efficient-ethernet>)
status: active
A. ARP spoofing attack
B. ARP flooding attack
C. Network sniffing
D. Man-in-the-middle attack
C.
Network sniffing
Which of these would not be a result of a DHCP starvation attack for the victim?
A. Attacker getting a new IP address
B. Attacker setting default gateway
C. Attacker setting DNS server
D. Denial of service
A.
Attacker getting a new IP address
If you suddenly saw a large number of DHCPDISCOVER packets on your network, what might you begin investigating?
A. ARP spoofing
B. Network sniffing
C. DHCP starvation attack
D. DNS poisioning
C.
DHCP starvation attack
What network technology makes sniffing harder for attackers?
A. Hubs
B. DHCP
C. Switches
D. Mail servers
C.
Switches
Your sslstrip session is not going well, what might you suspect?
A. The sessions are all SSL v3
B. The sessions are all TLS v1.0
C. The sessions are all TLS v1.1
D. The sessions are all TLS v1.3
D.
The sessions are all TLS v1.3
