Chapter 4 - Sniffing & Evasion

Question 1

Promiscuous Mode

Answer 1

Has to be set manulaly. NIC will grab anything passed on wire regardless of destination. Tools for this: WinPcap and libpcap (linux)

Question 2

CSMA/CD

Answer 2

Carrier Sense Multiple Access/Collision Detection - used over Ethernet to decide who can talk

Question 3

What protocols are susceptible to sniffing

Answer 3

SMTP, FTP, TFTP, IMAP, POP3, NNTP, and HTTP, TCP shows sequence numbers, TCP and UDP show open ports, IP shows source and destination

Question 4

Collision Domains

Answer 4

Traffic sent from your NIC (regardless of mode) ca nonly be seen within the same collision domain. Hubs have 1 collision domain. Switches have one for each port.

Question 5

arp -d *

Answer 5

Clears ARP cache

Question 6

arp -a

Answer 6

Displays current ARP cache

Question 7

ARP

Answer 7

Address Resolution Protocol: Resolves IP address to MAC addresses. Packets are ARP_REQUEST and ARP_REPLY. Arp -a displays arp cache

Question 8

Gratuitous ARP

Answer 8

Special packet to update ARP cache even without a request.

Question 9

IPV6 Loopback address is what?

Answer 9

::1 also uses 128-bit address

Question 10

IPv6 Address Types

Answer 10

Unicast - Addressed and inteded for one host interface. Multicast - Addresssed for multiple host interfaces. Anycast - Large number of hosts can receive; nearest host opens

Question 11

IPv6 Scopes

Answer 11

(Scope applies for multicast and anycast). Link Local - Applies only to hosts on the same subnet (Address block fe80::/10) Site Local: Applie to hosts within the same organization (Address block FEC0::/10). Global: Includes everything

Question 12

Lawful intercetpion

Answer 12

Legally intercepting communications between two parties

Question 13

Active vs Passive Wiretapping

Answer 13

Active - Interjecting something into communication. Passive - Only monitors and records the data.

Question 14

Active vs Passive Sniffing

Answer 14

Passive - Watching network traffic without interaction; only works for same collision domain. Active - Uses methods to make a switch send traffic to you even though it isn’t destined for your machine

Question 15

Span Port

Answer 15

Switch configuration that makes the switch send a copy of all frames from other ports to a specific port. Not all switches can do this.

Question 16

Network Tap

Answer 16

Special port on a switch that allows the connected device to see all traffic.

Question 17

Port Mirroring

Answer 17

Another word for span port

Question 18

CAM Table

Answer 18

The table on a switch that stores which MAC address is on which port. If table is empty or full, everything sent to all ports. This is whats known as MAC flooding

Question 19

Etherflood

Answer 19

Tool uses to cause MAC flooding

Question 20

Macof

Answer 20

Tool used to cause MAC flooding

Question 21

Switch port stealing

Answer 21

Similar to CAM flood. Flood the CAM with unsolicited ARPs. But instead of attempting to fill the table, you’re only interested in updating the information regarding a specific port, causing a race condition

Question 22

ARP Poisoning

Answer 22

Same as ARP Spoof or Gratuitous ARP. Changes the cache of machines so that packets are sent to you instead of intended target.

Question 23

What are some countermeasures to ARP poisoning ?

Answer 23

Dynamic ARP Inspection using DHCP snooping. Xarp can also watch for this. Default gateway MAC can be added permanently to machine’s cache.

Question 24

ARP Poisoning Tools

Answer 24

Cain and Abel, WinArpAttacker, Ufasoft

Question 25

DHCPv4 Packets

Answer 25

DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK

Question 26

DHCPv6 Packets

Answer 26

Solicit, Advertise, Request (confirm/Renew), Reply

Question 27

DHCP Steps

Answer 27

1. Client sends DHCPDISCOVER. 2. Server responds with DHCPOFFER. 3. Client sends request for IP with DHCPREQUEST. 4. Server sends address and config via DHCPACK

Question 28

DHCP Starvation

Answer 28

Attempt to exhaust all available addresses from the server.

Question 29

DHCP Starvation Tools

Answer 29

Yersinia, DHCPstarv

Question 30

Rogue DHCP Server

Answer 30

Fake DHCP server that hands out bad IP addresses to computers on network

Question 31

MAC Spoof vs IRDP Spoof vs DNS Poisoning

Answer 31

MAC - Changes your MAC address to have packets sent to yourself. IRDP Spoofing - hacker sends ICMP Router Discovery Protocol message for malicious gateway. DNS Poison - changs where machine gets their DNS info from.

Question 32

Ethereal

Answer 32

What Wireshark used to be called. Packet filter

Question 33

What does the following Wireshark filter accomplish: !(arp or icmp or dns)

Answer 33

Filters out the “noise” from ARP, DNS, and ICMP requests

Question 34

Wireshark filter: http.request

Answer 34

Displays HTTP GET requests

Question 35

ip.addr==172.17.15.12 && tcp.port==23 This filter does what on Wireshark?

Answer 35

Displays Telnet packets containing that IP.

Question 36

tcp.flags==0x16 This filter does what on Wireshark?

Answer 36

Filters TCP requests with ACK flag set

Question 37

tcpdump -i eth1

Answer 37

Puts interface in listening mode

Question 38

tcpdump -w

Answer 38

will write results to a file

Question 39

tcpdump syntax

Answer 39

tcpdump -i eth1 - puts interface in listening mode. -w will write results to file

Question 40

Windows version of tcpdump is what?

Answer 40

WinDump

Question 41

tcptrace

Answer 41

Analyzes files produced by packet capture programs such as Wireshark, tcpdump, and Etherpeek

Question 42

Ettercap

Answer 42

Sniffing tool, can also be used for MITM attacks, ARP poisoning

Question 43

Capsa Network Analyzer

Answer 43

Network snsiffer

Question 44

Snort

Answer 44

Open source IDS, can be used as a sniffer, traffic logger, and a protocol analyzer. Three modes: Sniffer, Packet Logger, NIDS

Question 45

Sniffing tools

Answer 45

Snort, Sniff-O-Matic, EtherPeek, WinDump, WinSniffer

Question 46

What does the following snort rule do: alert tcp !HOME_NET any -> $HOME_NET 31337 (msg : “BACKDOOR ATTEMPT-Backorifice”)

Answer 46

This rule tells snort “If you happen to come across any packet from any address that is not my home network, using any source port, intended for an address within my home network on port 31337

Question 47

Dynamic NAT vs Static NAT vs Port Address Translation (PAT)

Answer 47

Dynamic: Many to Many , Static: One to Many , Port Address Translation (PAT): Many to One

Question 48

Signature-based vs Anomaly-based IDS

Answer 48

Signature - Compares packets against a list of known traffic patterns. Anomaly - Makes decisions on alerts based on learned behavior and “normal” patterns.

Question 49

Screened Subnet

Answer 49

Hosts all public-facing servers and services.

Question 50

Bastion Hosts

Answer 50

Hosts on the screened subnet designed to protect internal resources.

Question 51

Private Zone

Answer 51

Hosts internal hosts that only respond to requests from within that zone

Question 52

Multi-homed Firewall

Answer 52

Firewall that has two or more interfaces

Question 53

Stateful Inspection

Answer 53

Firewalls that track the entire status of a connection

Question 54

Packet-Filtering

Answer 54

Firewalls that only looked at the headers

Question 55

Circuit-level Gateway

Answer 55

Firewall that works on Layer 5 (session Layer)

Question 56

Application-level gateway

Answer 56

Firewall that works lke a proxy, allowing specific services in or out.

Question 57

Tools for IDS evasion

Answer 57

Nessus, ADMmutate (creates scripts nto recognizable by signature files) NIDSbench, Inundator (flooding tool)

Question 58

An ICMP Type 3 Code 13 shows what?

Answer 58

Traffic is being blocked by the firewall

Question 59

ICMP Type 3 Code 3 shows that

Answer 59

The client itself has the port closed

Question 60

Firewalking

Answer 60

Going through every port on a firewall to determine what is open

Question 61

High Interaction vs Low Interaction Honeypot

Answer 61

High Interaction: Simulates all services and applications and is designed to be completely compromised. Low Interaction: Simulates a number of services and cannot be completely compromised.

Question 62

Honeypot Tools

Answer 62

Specter, Honeyd, KFSensor

Question 63

Tools for firewall evasion

Answer 63

CovertTCP, ICMP Shell, 007 Shell