fc_08_sniffing Flashcards

1
Q

Packet Sniffing

A

Packet sniffing is a process of monitoring and capturing all data packets passing through a given network using a software application or hardware device

It allows an attacker to observe and access the entire network traffic from a given point

Packet sniffing allows an attacker to gather sensitive information such as Telnet passwords, email traffic, syslog traffic, router configuration, web traffic, DNS traffic, FTP password, chat sessions, account information, etc.

Though most networks today employ switch technology, packet sniffing is still useful. This is because installing remote sniffing programs on network components with heavy traffic flows such as servers and routers is relatively easy.

How sniffer works

Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Types of Sniffing

A

Passive sniffing

  • Passive sniffing refers to sniffing through a hub, wherein the traffic is sent to all ports
  • It involves monitoring packets sent by others without sending any additional data packets in the network traffic
  • In a network that use hubs to connect systems, all hosts on the network can see the all traffic and therefore, the attacker can easily capture traffic going through the hub
  • Hub usage is an outdated approach. Most modern networks now use switches

Active Sniffing

  • Active sniffing is used to sniff a switch-based network
  • Active sniffing involves injecting Address Resolution Packets (ARP) into the network to flood the switch’s Content Addressable Memory (CAM) table, which keeps track of host-port connection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

List active sniffing techniques

A
  1. MAC Flooding
  2. DHCP Attacks
  3. DNS Poisoning
  4. ARP Poisoning
  5. Swtich Port Stealing
  6. Spoofing Attack
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How attackers Hacks the Network Using Sniffers

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Protocols Vulnerable to Sniffing

A
  1. Telnet and RLogin: Keystrokes including user names and passwords are sent in clear text
  2. HTTP: Data is sent in clear text
  3. POP: Passwords and data are sent in clear text
  4. IMAP: Passwords and data are sent in clear text
  5. SMTP and NNTP: Passwords and data are sent in clear text
  6. FTP: Passwords and data are sent in clear text
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

In which lay of OSL layers do sniffers operate

A

data link layer

All layers above data link layer can potentially be compromised by sniffing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Hardware Protocol analyzers

A

Hardware Protocol Analyzers

  1. A hardware protocol analyzer is a piece of equipment that captures signals without altering the traffic in a cable segment
  2. It can be used to monitor network usage and identify malicious network traffic generated by hacking software installed in the network
  3. It captures a data packet, decodes it, and analyzes its content based on certain predetermined rules
  4. It allows the attacker to see individual data bytes of each packet passing through the cable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Name Hardware Analyzers

A

N2X N5540A Agilent Protocol Analyzer

Keysight E2960B

Others

 RADCOM PrismLite Protocol Analyzer (https://cybarcode.com)

 STINGA Protocol Analyzer (http://utelsystems.com)

 NETSCOUT’s OneTouch AT Network Assistant (http://enterprise.netscout.com)

 NETSCOUT’s OptiView XG Network Analysis Tablet (http://enterprise.netscout.com)

 Agilent (Keysight) Technologies 8753ES (https://www.microlease.com)

 Agilent (Keysight) Technologies E8364B (https://www.microlease.com)

 U4421A Protocol Analyzer (http://www.keysight.com)

 U4431A MIPI M-PHY Protocol Analyzer (http://www.keysight.com)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SPAN Ports

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

WireTapping

Active -> MITM

A
  • Wiretapping is the process of monitoring telephone and Internet conversations by a third party
  • Attackers connect a listening device (hardware, software, or a combination of both) to the circuit carrying information between two phones or hosts on the Internet
  • It allows an attacker to monitor, intercept, access, and record information contained in a data flow in a communication system
  • Typically, the attacker uses a small amount of electrical signal generated by the telephone wires to tap the conversation.

Types

  • Active Wiretapping: In hacking terminology, active wiretapping is an MITM attack. This allows an attacker to monitor and record the traffic or data flow in a communication system. The attacker can also alter or inject data into the communication or traffic.
  • Passive Wiretapping: Passive wiretapping is snooping or eavesdropping. This allows an attacker to monitor and record traffic. By observing the recorded traffic flow, the attacker can snoop for a password or other information.

Methods

  • The official tapping of telephone lines
  • The unofficial tapping of telephone lines
  • Recording the conversation
  • Direct line wiretap
  • Radio wiretap
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Lawful Interception

A

Lawful interception refers to legally intercepting data communication between two end points for surveillance on the traditional telecommunications, Voice over Internet Protocol (VoIP), data, and multiservice networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

List Sniffing Techniques

A

MAC attacks, DHCP attacks, ARP poisoning, spoofing attacks, DNS poisoning,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

MAC Attacks

A

s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

MAC Attacks => How CAM works?

A

Refer to the diagram below for the working of CAM table. It shows three machines: Machine A, Machine B and Machine C, each holding MAC address A, B and C. The machine A holding the MAC address A wants to interact with Machine B.

Machine A broadcasts an ARP request to the switch. The request contains the IP address of the target machine (Machine B), along with the source machine’s (Machine A) MAC and IP addresses. The switch then broadcasts this ARP request to all the hosts in the network and waits for the reply.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

MAC Attacks => What Happens When CAM Table Is Full?

A

Once the CAM table fills up on a switch, additional ARP request traffic flood every port on the switch

This will change the behavior of the switch to reset to its learning mode, broadcasting on every port similar to a hub

This attack will also fill the CAM tables of adjacent switches

Fail open

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

MAC Attacks => MAC Flooding

A

MAC flooding involves flooding of CAM table with fake MAC address and IP pairs until it is full

The switch then acts as a hub by broadcasting packets to all machines on the network and therefore, the attackers can sniff the traffic easily

Mac Flooding Switches with macof

  1. macof is a Unix/Linux tool that is a part of dsniff collection
  2. macof sends random source MAC and IP addresses
  3. This tool floods the switch’s CAM tables (131,000 per min) by sending bogus MAC entries
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

MAC Attacks => Switch Port Stealing

A

a

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

MAC Attacks => How to Defend against MAC Attacks

A

To protect a port, this feature identifies and limits the MAC addresses of the machines that can access the port. If you assign a secure MAC address to a secure port, then the port will forward only the packets with source addresses that are inside the group of defined addresses.

A security violation occurs:

  • When a port is configured as a secure port, and the maximum number of secure MAC addresses is reached
  • When the MAC address of the machine that is attempting to access the port does not match any of the identified secure MAC addresses

Once the maximum number of secure MAC addresses on the port is set, the secure MAC addresses are included in an address table in any of the following three ways:

  • You can configure all secure MAC addresses by using the switch port, port-securing mac-address interface configuration command.
  • You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of the connected devices.
  • You can configure a number of addresses and allow the rest to be dynamically configured.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

DHCP Attacks => How DHCP Works

A

a

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

DHCP Attacks => DHCP Request/Reply Messages

A

a

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

DHCP Attacks => DHCP Starvation Attack

A

a

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

DHCP Attacks => Rogue DHCP Server Attack

A

MITM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

DHCP Attacks => How to Defend Against DHCP Starvation and Rogue Server Attack

A
  • switchport port-security maximum 1 The switch port port-security maximum command configures the maximum number of secure MAC addresses for the port. The switch port port-security maximum 1 command configures the maximum number of secure MAC addresses for the port as 1.
  • switchport port-security violation restrict The switch port port-security violation command sets the violation mode and the necessary action in case of detection of a security violation. The switch port port-security violation restrict command drops packets with unknown source addresses until a sufficient number of secure MAC addresses are removed.
  • switchport port-security aging time 2 The switch port port-security aging time command configures the secure MAC address aging time on the port. The switch port port-security aging time 2 command sets the aging time as 2 minutes.
  • switchport port-security aging type inactivity The switch port port-security aging type command configures the secure MAC address aging type on the port. The switch port port-security aging type inactivity command sets the aging type as inactivity aging.
  • switchport port-security mac-address sticky Enables sticky learning on the interface by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.

For Rogue attacks protection

  • ip dhcp snooping vlan 4,104 Enable or disable DHCP snooping on one or more VLANs.
  • no ip dhcp snooping information option To disable the insertion and the removal of the option-82 field, use the no IP dhcp snooping information option in global configuration command. To configure an aggregation, switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no IP dhcp snooping information option allow-untrusted global configuration command.
  • ip dhcp snooping Enable DHCP snooping option globally.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

ARP Poisoning => What Is Address Resolution Protocol (ARP)?

A
  • Address Resolution Protocol (ARP) is a stateless protocol used for resolving IP addresses to machine (MAC) addresses
  • All network devices (that needs to communicate on the network) broadcasts ARP queries in the network to find out other machines’ MAC addresses
  • When one machine needs to communicate with another, it looks up its ARP table. If the MAC address is not found in the table, the ARP_REQUEST is broadcasted over the network
  • All machines on the network will compare this IP address to their MAC address
  • If one of the machine in the network identifies with this address, it will respond to ARP_REQUEST with its IP and MAC address. The requesting machine will store the address pair in the ARP table and begin with the communication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

ARP Poisoning => ARP Spoofing Attack

A

ARP spoofing is an intermediary to perform attacks such as DoS, MITM, and Session Hijacking.

https://www.youtube.com/watch?v=A7nih6SANYs&t=12s

Gateway

26
Q

ARP Poisoning => ARP Poisoning Tools

A

Ufasoft Snif

Others

  •  BetterCAP (https://www.bettercap.org)
  •  Ettercap (https://github.com)
  •  ArpSpoofTool (https://sourceforge.net)
  •  MITMf (https://github.com)
  •  Cain & Abel (http://www.oxid.it)
  •  Arpoison (https://sourceforge.net)
  •  hping3 (http://www.hping.org)
27
Q

ARP Poisoning => How to Defend Against ARP Poisoning

A

Implementation of Dynamic ARP Inspection (DAI) prevents poisoning attacks. DAI is a security feature that validates ARP packets in a network. When DAI activates on a VLAN, all ports on the VLAN are considered to be untrusted by default. DAI validates the ARP packets using a DHCP snooping binding table. The DHCP snooping binding table consists of MAC addresses, IP addresses, and VLAN interfaces acquired by listening to DHCP message exchanges. Hence, you must enable DHCP snooping before enabling DAI. Otherwise, establishing a connection between VLAN devices based on ARP is not possible. Consequently, a self-imposed DoS may result on any device in that VLAN.

If the host systems in a network hold static IP addresses, the DHCP snooping will not be possible, or other switches in the network cannot run dynamic ARP inspection. In such situations, you have to perform static mapping that associates an IP address to a MAC address on a VLAN to prevent an ARP poisoning attack.

28
Q

ARP Poisoning => Configuring DHCP Snooping and Dynamic ARP Inspection on Cisco Switches

A

Configuring DHCP Snooping in Global configuration mode Switch(config)# ip dhcp snooping

Configuring DHCP Snooping for a VLAN

  • Switch(config)# ip dhcp snooping vlan 10*
  • Switch(config)# ^Z*

To view the DHCP snooping status

Switch# show ip dhcp snooping

If the switch is functioning only at layer 2, apply the ip dhcp snooping trust command to the layer 2 interfaces in order to designate uplink interfaces as trusted interfaces. This informs the switch that DHCP responses can arrive on those interfaces.

To see the DHCP snooping table, you have to execute the following command

Switch(config)# show ip dhcp snooping binding

Command to configure ARP Inspection for a VLAN Switch(config)# ip arp inspection vlan 10

Switch(config)# ip arp inspection vlan 10, 11, 12, 13 Or Switch(config)# ip arp inspection vlan 10-13

To view the ARP Inspection status

  • Switch(config)# show ip arp inspection*
  • %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/5, vlan 10 ([0013.6050.acf4/192.168.10.1/ffff.ffff.ffff/192.168.10.1/05:37:31 UTC Mon Oct30 2017])*
29
Q

ARP Apoofing => ARP Spoofing Detection Tools

A

XArp

Others

 Capsa Network Analyzer (http://www.colasoft.com)

 ArpON (http://arpon.sourceforge.net)

 ARP AntiSpoofer (https://sourceforge.net)

 ARPStraw (https://github.com)

 shARP (https://github.com)

30
Q

Spoofing Attacks =>

A

MAC duplicating refers to spoofing a MAC address with the MAC address of a legitimate user on the network.

A MAC duplicating attack involves sniffing a network for MAC addresses of legitimate clients connected to the network.

In this attack, the attacker first retrieves the MAC addresses of clients who are actively associated with the switch port.

Then the attacker spoofs a MAC address with the MAC address of the legitimate client.

If the spoofing is successful, then the attacker can receive all the traffic destined for the client. Thus, an attacker can gain access to the network and take over the identity of someone on the network

31
Q

Spoofing Attacks => MAC Spoofing/Duplicating

A
  • Press Win + R to open Run, type regedt32 to start the registry editor
  • Note: Do not type Regedit to start registry editor Go to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlS et\Control\Class{4d36e972-e325-11ce-bfc1-08002be10318} and double click on it to expand the tree
  • 4-digit sub keys representing network adapters will be found (starting with 0000, 0001, 0002, etc.)
  • Search for the proper “DriverDesc” key to find the desired interface
  • Edit, or add, the string key “NetworkAddress” (data type “REG_SZ”) to contain the new MAC address
  • Disable and then re-enable the network interface that was changed or reboot the system
32
Q

Spoofing Attacks=> MAC Spoofing Technique: Windows

A

Technitium MAC Address Changer

Others

  • MAC Address Changer http://www.novirusthanks.org
  • Change MAC Address https://lizardsystems.com
  • GhostMAC http://ghostmac.fevermedia.ro
  • Spoof-Me-Now https://sourceforge.net
  • SMAC http://www.klcconsulting.net
33
Q

Spoofing Attacks=> MAC Spoofing Tools

A

Technitium MAC Address Changer

Technitium MAC Address Changer (TMAC) allows you to change (spoof) Media Access Control (MAC) Address of your Network Interface Card (NIC) instantly

MAC Address Changer http://www.novirusthanks.org Change MAC Address https://lizardsystems.com GhostMAC http://ghostmac.fevermedia.ro Spoof-Me-Now https://sourceforge.net SMAC http://www.klcconsulting.ne

34
Q

Spoofing Attacks => IRDP Spoofing

A

Attackers can use IRDP spoofing to launch MITM, DoS, and passive sniffing attacks.

Passive Sniffing: In a switched network, the attacker spoofs IRDP traffic to re-route the outbound traffic of target hosts through the attacker’s machine.

MITM: Once sniffing starts, the attacker acts as a proxy between the victim and destination. The attacker plays an MITM role and tries to modify the traffic.  DoS: IDRP spoofing allows remote attackers to add wrong route entries into victims routing table. The wrong address entry causes DoS.

DoS: IDRP spoofing allows remote attackers to add wrong route entries into victims routing table. The wrong address entry causes DoS.

35
Q

Spoofing Attacks => How to Defend Against MAC Spoofing

A

To detect MAC spoofing, it is necessary to know all the MAC addresses in the network. The best way to defend against MAC address spoofing is to place the server behind the router. This is because routers depend only on IP addresses, whereas switches depend on MAC addresses for communication in a network. Making changes to Port security interface configuration is another way to prevent MAC spoofing attacks.

Once you enable the port security command, it allows you to specify the MAC address of the system connected to the specific port. It also allows for specific action to be taken if a port security violation occurs.

  • DHCP Snooping Binding Table: The DHCP snooping process filters untrusted DHCP messages and helps to build and bind a DHCP binding table. This table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information to correspond with untrusted interfaces of a switch. It acts as a firewall between untrusted hosts and DHCP servers. It also helps in differentiating between trusted and untrusted interfaces.
  • Dynamic ARP Inspection: The system checks the IP to MAC address binding for each ARP packet in a network. While performing a Dynamic ARP inspection, the system will automatically drop invalid IP to MAC address bindings.
  • IP Source Guard: IP Source Guard is a security feature in switches that restricts the IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database. It prevents spoofing attacks when the attacker tries to spoof or use the IP address of another host.
  • Encryption: Encrypt the communication between the access point and computer to prevent MAC spoofing.
  • Retrieval of MAC Address: You should always retrieve the MAC address from the NIC directly instead of retrieving it from the OS.
  • Implementation of IEEE 802.1X suites: It is a type of network protocol for port-based Network Access Control (PNAC), and its main purpose is to enforce access control at the point where a user joins the network
  • AAA (Authentication, Authorization and Accounting): Use of AAA (Authentication, Authorization and Accounting) server mechanism in order to filter MAC addresses subsequently.
36
Q

DNS Poisoning=> DNS Poisoning Techniques

A
37
Q

DNS Poisoning => Intranet DNS Spoofing

A

a

38
Q

DNS Poisoning => Internet DNS Spoofing

A
39
Q

DNS Poisoning => Proxy Server DNS Poisoning

A
40
Q

DNS Poisoning => DNS Cache Poisoning

A
41
Q

DNS Poisoning => How to Defend Against DNS Spoofing

A
42
Q

Sniffing Tools => Wireshark

A
  • It lets you capture and interactively browse the traffic running on a computer network
  • Wireshark uses Winpcap to capture packets on its own supported networks
  • It captures live network traffic from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI networks
  • A set of filters for customized data display can be refined using a display filter

Follow TCP Stream

Wireshark displays data from the TCP port with a feature known as “Follow TCP stream.” The tool sees TCP data in the same way as that of the application layer. Use this tool to find passwords in a Telnet session or make sense of a data stream. To see the TCP stream, select a TCP packet in the packet list of a stream/connection and then select the Follow TCP Stream menu item from the Wireshark Tools menu. Wireshark displays all the data from TCP stream by setting an appropriate display filter.

43
Q

Sniffing Tools => Follow TCP Stream in Wireshark

A

Additional Filters

  •  tcp.flags.reset==1 Displays all TCP resets
  •  udp contains 33:27:58 Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset
  •  http.request Displays all HTTP GET requests
  •  tcp.analysis. retransmission Displays all retransmissions in the trace
  •  tcp contains traffic Displays all TCP packets that contains the word ‘traffic’
  •  !(arp or icmp or dns) Masks out arp, icmp, dns, or other protocols and allows you to view traffic of your interest
  •  tcp.port == 4000 Sets a filter for any TCP packet with 4000 as a source or destination port
  •  tcp.port eq 25 or icmp Displays only SMTP (port 25) and ICMP traffic
  •  ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 Displays only traffic in the LAN (192.168.x.x), between workstations and servers –no Internet
  •  ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs
44
Q

Sniffing Tools => Display Filters in Wireshark

A

a

45
Q

Sniffing Tools => Additional Wireshark Filters

A

a

46
Q

Sniffing Tools => SteelCentral Packet Analyzer and Capsa Network Analyzer

A

SteelCentral Packet Analyzer

SteelCentral Packet Analyzer provides a graphical console for high-speed packet analysis

Capsa Network Analyzer

Capsa Network Analyzer captures all data transmitted over the network and provides a wide range of analysis statistics in an intuitive and graphic way

47
Q

Sniffing Tools=> OmniPeek and Observer Analyzer

A

OmniPeek

OmniPeek sniffer displays a Google Map in the OmniPeek capture window showing the locations of all the public IP addresses of captured packets

Observer Analyzer

Observer provides a comprehensive drill-down into network traffic and provides back-in-time analysis, reporting, trending, alarms, application tools, and route monitoring capabilities

48
Q

Sniffing Tools: Additional tools

A

Sniffing Tools: OmniPeek and Observer Analyzer

49
Q

Sniffing Tools: Packet Sniffing Tools for Mobile

A

Wi.cap. Network Sniffer Pro

FaceNiff

Packet Capture

50
Q

Countermeasures:

How to Defend Against Sniffing

A
  1.  Restrict the physical access to the network media to ensure that a packet sniffer cannot be installed.
  2.  Use end-to-end encryption to protect confidential information.
  3.  Permanently add the MAC address of the gateway to the ARP cache.
  4.  Use static IP addresses and ARP tables to prevent attackers from adding the spoofed ARP entries for machines in the network.
  5.  Turn off network identification broadcasts and if possible restrict the network to authorized users in order to protect the network from being discovered with sniffing tools.
  6.  Use IPv6 instead of IPv4 protocol.
  7.  Use encrypted sessions such as SSH instead of Telnet, Secure Copy (SCP) instead of FTP, SSL for email connection, etc. to protect wireless network users against sniffing attacks.
  8.  Use HTTPS instead of HTTP to protect usernames and passwords.
  9.  Use switch instead of the hub as switch delivers data only to the intended recipient.
  10.  Use Secure File Transfer Protocol (SFTP), instead of FTP for secure transfer of files.
  11.  Use PGP and S/MIME, VPN, IPSec, SSL/TLS, Secure Shell (SSH), and One-time passwords (OTP).
  12.  Always encrypt the wireless traffic with a strong encryption protocol such as WPA and WPA2.
  13.  Retrieve MAC directly from NIC instead of OS; this prevents MAC address spoofing.
  14.  Use tools to determine if any NICs are running in the promiscuous mode.
  15.  Use a concept of ACL or Access Control List to allow access to only a fixed range of trusted IP addresses in a network.
  16.  Change default passwords to complex passwords.
  17.  Avoid broadcasting SSID (Session Set Identifier).
  18.  Implement MAC filtering mechanism on your router.
51
Q

Sniffing Detection Techniques

How to Detect Sniffing

A

a

52
Q

Sniffer Detection Techniques: Ping Method and DNS Method

A

Reverse DNS lookup

53
Q

Sniffer Detection Technique: ARP Method

A

a

54
Q

Sniffing Detection Techniques: Promiscuous Detection Tools

A

PromqryUI: PromqryUI is a security tool from Microsoft that can be used to detect network interfaces that are running in promiscuous mode

Nmap:

Nmap’s NSE script allows you to check if a target on a local Ethernet has its network card in promiscuous mode

Command to detect NIC in promiscuous mode:

nmap –script=sniffer-detect [Target IP Address/Range of IP addresses]

55
Q

Sniffing Pen Testing: Sniffing Penetration Testing1

A
56
Q
A
57
Q

CAM Table

A

The CAM (Content Addressable Memory) table is a dynamic table of fixed size. It stores information such as MAC addresses available on physical ports along with VLAN parameters associated with them. When a machine sends data to another machine in a network, the data passes through the switch. The switch searches for the destination MAC address (located in the Ethernet frame) in its CAM table, and once the MAC address is found, it forwards data to the machine through the port with which the MAC address is bound.

58
Q

MAC Attacks => How to Defend against MAC Attacks Commands

A
  • switchport port-security

Enables port security on the interface.

  • switchport port-security maximum 1 vlan access

Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 3072. The default is 1.

  • switchport port-security violation restrict

Sets the violation mode, the action to be taken when a security violation {restrict | shutdown} is detected.

  • switchport port-security aging time 2

Sets the aging time for the secure port.

  • switchport port-security aging type inactivity

The type keyword sets the aging type as absolute or inactive.

  • snmp-server enable traps port-security trap-rate 5

Controls the rate at which SNMP traps are generated.

59
Q

Threats of ARP Poisoning

A
60
Q

Sniffing Pen Testing: Sniffing Penetration Testing2

A
61
Q

Sniffing Pen Testing: Sniffing Penetration Testing3

A