Chapter 4 - Sniffing and Evasion (Sniffing)

Question 1

IP Packet header data and uses

source, destination addresses

QoS (Type of Service) field

Fragmentation data (Identification and Fragment Offset fields)

Answer 1

source/destination addresses - obvious

QoS and Fragmentation can be useful for crafting your own fragmented packets

Question 2

Name for the first half of a MAC address

Answer 2

Organizational Unique Identifier

Question 3

ARP Commands

arp -a

arp -d *

netsh interface ip delete arpcache

Answer 3

arp -a shows arp cache

arp -d * and netsh command delete the arp cache

Question 4

Exam tip

IPv6 Loopback address

Answer 4

0000:0000:0000:0000:0000:0000:0000:0001

abbreviate as ::1

Question 5

Exam tips for IPv6

Loopback address

link-local addressing

Answer 5

0000:0000:0000:0000:0000:0000:0000:0001
abbreviate as ::1

Link Local reserved address block: fe80::/10

unique local address (equivalent of IPv5 private addressing) is in the fc00::/7 block

prefixes for site local addresses always FEC0:/10

Question 6

IPv6 address types

Answer 6

unicast - works like IPv4

multicast - works like IPv4

anycast - works like multicast but designed to be received and opened by only the closest member of a group, identified in terms of routing distance (hops)

broadcast address in ipv4 no longer used. multicast performs that role

Question 7

IPv6 scopes for unicast and multicast

scopes define how far the address can go

Answer 7

link local - only hosts on same subnet. defines boundary at local segment. For private addressing only, similar to old 169.254.1-254.0 range

site local - only hosts in same organization (private site addressing). same rules as link-local (not forwarded by a router). Similar to the private Class 10 172 and 192 ranges of IPv4

global - everyone

Question 8

Lawful Interception

Answer 8

process of legally intercepting communications between 2 or more parties for surveillance on telecommunication, VOIP, data and multi service networks

Question 9

Active and Passive wiretapping

Answer 9

active interjects something into the communication

passive only monitors and records

Question 10

Active and Passive sniffing

Answer 10

Active usually means the collision domain you’re on is segmented from those you want to look at. ie you’re on a switch

Passive works only if you’re on the same collision domain as your targets

Question 11

Span port / port mirroring

Answer 11

switch port that can be configured to send traffic from other ports to it.

Most modern switches don’t allow those ports to transmit, only receive

Question 12

Content Addressable Memory Table

CAM Table

Answer 12

table in the switch that contains a list of which MAC addresses are on which ports

Question 13

MAC Flooding

Answer 13

send so many MAC addresses to the CAM table that it can’t keep up and turns into a hub.

Most modern switches are impervious to this

Question 14

ECC Term “Switch Port Stealing”

Answer 14

a type of MAC Flood but instead of filling the CAM table, you only update information about a specific port, causing a race condition where switch flips back and forth between bad MAC and real MAC

Question 15

ARP Poisoning aka ARP Spoofing aka gratuitous ARP

Answer 15

maliciously changing ARP cache on a machine to inject faulty entries

not that difficult since ARP works by listening for changes

Question 16

ARP Poisoning caveats

Answer 16

ARP entries need frequent updating. To maintain control you need to have your entry update before a real one occurs

ARP poisoning attempts can trigger alerts, since it’s a broadcast

speed always win, if a machine arp and attacker gets their first

Question 17

DHCP Starvation

Answer 17

attacker tries to exhaust all available addresses from the server

more of a DoS type attack

Question 18

DHCP Starvation

Answer 18

attacker tries to exhaust all available addresses from the server

more of a DoS type attack. Attacker sends unending forged DCHP requests

Tools: Yersinia, DHCPStarv

Mitigation - configure DHCP snooping

Question 19

DCHP 4 step process

DORA

Answer 19

Discover - client broadcasts for DHCP server
Offer - DHCP relay agent replies with offer
Request - client sends request for IP
Acknowledge - server responds with acknowledge and IP info

Question 20

Exam Tip

Rogue DHCP Server usefulness for attacks

Answer 20

Could allow attacker to redirect communications, either in conjunction with a DHCP starvation attack or not

Question 21

MAC Spoofing

Answer 21

Attacker on port 3 sends forged packets with victim’s MAC address.

Switch sees victim “moved” to port 3 and sends traffic for victim computer to port 3 attacker

Question 22

IRDP Spoofing

ICMP Router Discovery Protocol Spoofing

Answer 22

attacker sends spoofed IRDP messages through the network, advertising whatever gateway he wants systems to start routing messages to

Question 23

Exam Tip

know wireshark filters (www.wireshark.org/docs) for how to guides, practice caps, videos.

!(arp or icmp or dns)

http.request

tcp contains string

ip. addr==172.17.15.12&&tcp.port=23
ip. addr==172.17.15.12 or ip.addr==172.17.15.160

Answer 23

!(arp or icmp or dns)
filters out those 3 types of packets

http.request
displays all the HTTP GET requests

tcp contains string
displays all tcp segments that contain the word “string”

ip.addr==172.17.15.12&&tcp.port=23
displays all telnet packets with that IP address

ip.addr==172.17.15.12 or ip.addr==172.17.15.160
shows packets with either IP address

Question 24

Wireshark operators (conjunctions)

equal to

and

or

Answer 24

equal to

and
&& means packet will only display if BOTH arguments appear

or
(or) means packet will display if either argument appears