Chapter 4 - Sniffing & Evasion Flashcards

1
Q

Promiscuous Mode

A

Has to be set manulaly. NIC will grab anything passed on wire regardless of destination. Tools for this: WinPcap and libpcap (linux)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CSMA/CD

A

Carrier Sense Multiple Access/Collision Detection - used over Ethernet to decide who can talk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What protocols are susceptible to sniffing

A

SMTP, FTP, TFTP, IMAP, POP3, NNTP, and HTTP, TCP shows sequence numbers, TCP and UDP show open ports, IP shows source and destination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Collision Domains

A

Traffic sent from your NIC (regardless of mode) ca nonly be seen within the same collision domain. Hubs have 1 collision domain. Switches have one for each port.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

arp -d *

A

Clears ARP cache

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

arp -a

A

Displays current ARP cache

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ARP

A

Address Resolution Protocol: Resolves IP address to MAC addresses. Packets are ARP_REQUEST and ARP_REPLY. Arp -a displays arp cache

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Gratuitous ARP

A

Special packet to update ARP cache even without a request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

IPV6 Loopback address is what?

A

::1 also uses 128-bit address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

IPv6 Address Types

A

Unicast - Addressed and inteded for one host interface. Multicast - Addresssed for multiple host interfaces. Anycast - Large number of hosts can receive; nearest host opens

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

IPv6 Scopes

A

(Scope applies for multicast and anycast). Link Local - Applies only to hosts on the same subnet (Address block fe80::/10) Site Local: Applie to hosts within the same organization (Address block FEC0::/10). Global: Includes everything

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Lawful intercetpion

A

Legally intercepting communications between two parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Active vs Passive Wiretapping

A

Active - Interjecting something into communication. Passive - Only monitors and records the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Active vs Passive Sniffing

A

Passive - Watching network traffic without interaction; only works for same collision domain. Active - Uses methods to make a switch send traffic to you even though it isn’t destined for your machine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Span Port

A

Switch configuration that makes the switch send a copy of all frames from other ports to a specific port. Not all switches can do this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Network Tap

A

Special port on a switch that allows the connected device to see all traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Port Mirroring

A

Another word for span port

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

CAM Table

A

The table on a switch that stores which MAC address is on which port. If table is empty or full, everything sent to all ports. This is whats known as MAC flooding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Etherflood

A

Tool uses to cause MAC flooding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Macof

A

Tool used to cause MAC flooding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Switch port stealing

A

Similar to CAM flood. Flood the CAM with unsolicited ARPs. But instead of attempting to fill the table, you’re only interested in updating the information regarding a specific port, causing a race condition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

ARP Poisoning

A

Same as ARP Spoof or Gratuitous ARP. Changes the cache of machines so that packets are sent to you instead of intended target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are some countermeasures to ARP poisoning ?

A

Dynamic ARP Inspection using DHCP snooping. Xarp can also watch for this. Default gateway MAC can be added permanently to machine’s cache.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

ARP Poisoning Tools

A

Cain and Abel, WinArpAttacker, Ufasoft

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
DHCPv4 Packets
DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK
26
DHCPv6 Packets
Solicit, Advertise, Request (confirm/Renew), Reply
27
DHCP Steps
1. Client sends DHCPDISCOVER. 2. Server responds with DHCPOFFER. 3. Client sends request for IP with DHCPREQUEST. 4. Server sends address and config via DHCPACK
28
DHCP Starvation
Attempt to exhaust all available addresses from the server.
29
DHCP Starvation Tools
Yersinia, DHCPstarv
30
Rogue DHCP Server
Fake DHCP server that hands out bad IP addresses to computers on network
31
MAC Spoof vs IRDP Spoof vs DNS Poisoning
MAC - Changes your MAC address to have packets sent to yourself. IRDP Spoofing - hacker sends ICMP Router Discovery Protocol message for malicious gateway. DNS Poison - changs where machine gets their DNS info from.
32
Ethereal
What Wireshark used to be called. Packet filter
33
What does the following Wireshark filter accomplish: !(arp or icmp or dns)
Filters out the "noise" from ARP, DNS, and ICMP requests
34
Wireshark filter: http.request
Displays HTTP GET requests
35
ip.addr==172.17.15.12 && tcp.port==23 This filter does what on Wireshark?
Displays Telnet packets containing that IP.
36
tcp.flags==0x16 This filter does what on Wireshark?
Filters TCP requests with ACK flag set
37
tcpdump -i eth1
Puts interface in listening mode
38
tcpdump -w
will write results to a file
39
tcpdump syntax
tcpdump -i eth1 - puts interface in listening mode. -w will write results to file
40
Windows version of tcpdump is what?
WinDump
41
tcptrace
Analyzes files produced by packet capture programs such as Wireshark, tcpdump, and Etherpeek
42
Ettercap
Sniffing tool, can also be used for MITM attacks, ARP poisoning
43
Capsa Network Analyzer
Network snsiffer
44
Snort
Open source IDS, can be used as a sniffer, traffic logger, and a protocol analyzer. Three modes: Sniffer, Packet Logger, NIDS
45
Sniffing tools
Snort, Sniff-O-Matic, EtherPeek, WinDump, WinSniffer
46
What does the following snort rule do: alert tcp !HOME_NET any -> $HOME_NET 31337 (msg : "BACKDOOR ATTEMPT-Backorifice")
This rule tells snort "If you happen to come across any packet from any address that is not my home network, using any source port, intended for an address within my home network on port 31337
47
Dynamic NAT vs Static NAT vs Port Address Translation (PAT)
Dynamic: Many to Many , Static: One to Many , Port Address Translation (PAT): Many to One
48
Signature-based vs Anomaly-based IDS
Signature - Compares packets against a list of known traffic patterns. Anomaly - Makes decisions on alerts based on learned behavior and "normal" patterns.
49
Screened Subnet
Hosts all public-facing servers and services.
50
Bastion Hosts
Hosts on the screened subnet designed to protect internal resources.
51
Private Zone
Hosts internal hosts that only respond to requests from within that zone
52
Multi-homed Firewall
Firewall that has two or more interfaces
53
Stateful Inspection
Firewalls that track the entire status of a connection
54
Packet-Filtering
Firewalls that only looked at the headers
55
Circuit-level Gateway
Firewall that works on Layer 5 (session Layer)
56
Application-level gateway
Firewall that works lke a proxy, allowing specific services in or out.
57
Tools for IDS evasion
Nessus, ADMmutate (creates scripts nto recognizable by signature files) NIDSbench, Inundator (flooding tool)
58
An ICMP Type 3 Code 13 shows what?
Traffic is being blocked by the firewall
59
ICMP Type 3 Code 3 shows that
The client itself has the port closed
60
Firewalking
Going through every port on a firewall to determine what is open
61
High Interaction vs Low Interaction Honeypot
High Interaction: Simulates all services and applications and is designed to be completely compromised. Low Interaction: Simulates a number of services and cannot be completely compromised.
62
Honeypot Tools
Specter, Honeyd, KFSensor
63
Tools for firewall evasion
CovertTCP, ICMP Shell, 007 Shell