Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Certified Incident Responder > Intrusion Detection: Link-Layer and Network Layers > Flashcards

Intrusion Detection: Link-Layer and Network Layers Flashcards

1
Q

TCP Header

A
  • The application layer passes the payload down to the Transport Layer.
  • The Transport Layer adds a TCP Header to the application payload
  • This header includes crucial transmission information such as source and destination ports, as well as information that makes sure the TCP segment arrives as expected
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IP Packet Header

A
  • The TCP header and the application payload are now being pushed to the Internet Layer
  • The Internet Layer adds the IP header
  • This header includes information that makes sure the packet is delivered to the correct destination IP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

During packet decapsulation, how does the Network Access layer (Data Link) know to pass the packet along to the Internet Layer (Network)

A
  • An indicator exists that reveals what protocol follows the Ethernet header (IPv4 or IPv6)
  • The Ethernet Layer passes all data following the Ethernet Header to the IPv4 handling part of the IP layer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How is encapsulation observed in Wireshark?

A
  • On a given line of a Wireshark packet stream, several sections appear below, representing each section of the frame, that be expanded to see the bytes of a given part of the encapsulated frame
  • The layers from top down are:
    • Network access layer
    • Internet layer
    • Transport layer
    • Application layer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is IEEE 802.X?

A
  • Link Layers; a family of standards that enable intercommunication between equipment from a variety of manufacturers
  • Specifies functions of the physical layer and the data link layer of major LAN protocols
  • The most common link layers being used today:
    • 802.3: Ethernet
    • 802.11: Wireless
    • 802.15.1: Bluetooth
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the sections of an Ethernet Frame?

A
  • Preamble
  • Recipient MAC
  • Sender MAC
  • Type
  • Data
  • Pad
  • FCS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Premable

A
  • A 64-bit information telling the receiving NIC that a frame is coming and where the frame starts
  • 8 bytes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Type

A
  • Telling the recipient basic type of data such as IPv4 or IPv6
  • 2 bytes
    0x0800 = IPv4
    0x0806 = ARP
    0x86DD = IPv6
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Data

A
  • Whatever payload the frame carries, such as IP packet

- Can be up to 1500 bytes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Pad

A
  • The minimum frame size is 64 bytes

- If the frame is less than 64 bytes, NIC adds extra data in the Pad

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

FCS

A
  • Frame Check Sequence
  • Error checking mechanism
  • 4 bytes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the security issues with ARP?

A
  • There is no way to validate MAC address ownership

- ARP is stateless (cache/table entries are simply updated when IP/MAC pairs are observed)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the outcome of a successful ARP attack?

A
  • the attacker can intercept (MITM) traffic destined for another host, inspect it, alter it, and ultimately forward it to the original/intended destination, or forward back to the sender
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How do you modify Wireshark to see the source and destination MAC addresses in an ARP request/response?

A

View > Name Resolution > Resolve Physical Address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the OP code for an ARP request in Wireshark?

A

Opcode request (1)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the OP code for an ARP reply in Wireshark?

A

Opcode reply (2)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Gratuitous ARP Request

A
  • a request packet where the source and destination IP are set with the IP of the machine that is issuing the packet and the destination MAC is the broadcast address
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Gratuitous ARP Reply

A
  • an ARP reply that has been sent w/o being requested
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Abusing Gratuitous ARP

A
  • Using crafted/illegitimate MAC addresses

- typically results in lots of ARP traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Example of malicious ARP in Wireshark?

A
  • Lots of ARP traffic from a single MAC
  • Broadcast traffic
  • Each request increments by one on the requested IP address
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

ARP Poisoning (Internal)

A
  • exploited to add fake information between two communication peers in a local network
  • In a scenario where M (the attacker) wants to listen to all traffic between A and B
  • M sends fake IP/MAC pairs to both A and B, making M the MITM
  • Both A and B’s ARP cache are poisoned with MAC of M:
    • A Poisoned with IP_B/MAC_M
    • B Poisoned with IP_A/MAC_M
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

ARP Poisoning (External/Remote)

A
  • When a host in a LAN wants to send packets to hosts outside the LAN, it uses the default gateway
  • The default gateway MAC address must be used to forward packets along with the correct IP address
  • Here is the process:
      1. Host A wants to send packets to the Internet. It already has the IP of the Gateway (IP_G), and it needs the associated MAC address.
      1. M can use a gratuitous ARP reply to advertise itself as the default gateway: binds IP_G with his own (MAC_M)
      1. All the traffic meant to leave the LAN will pass through M, which will then redirect to the real gateway
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How can you search for a malicious device’s traffic in Wireshark?

A
  • use the filter [eth.addr==]
24
Q

What are the distinct values of the IPv4 header?

A
  • Length: length of the IP header
  • Total Length: length of IP packet, including IP header and the user data
  • Fragmented Offset: if a packet is divided, the fragmentation offset value will be used to reassemble the packet
  • Version: version of IP
  • IHL: Internet Header Length; 4 byte increments
  • DSCP: differentiated services code point
  • ECN explicit congestion notification
25
Q

Ping of death

A
  • DoS technique
  • Sending IP packets exceeding the 65535 bytes limit of data via a ping command
  • This overly large packet would be fragmented and reassembled at the destination host.
  • When the OS tries to reassemble such a packet, they experience system crashes, reboots, or major degradation in performance
26
Q

Teardrop Attack

A
  • crafted overlapping fragments were utilized to introduce ambiguities in the reassembling procedure, causing vulnerable systems to crash
27
Q

IPv6 Header Values

A
  • Version: always ‘6’
  • Traffic class
  • Flow Label: allows tracking of specific traffic
  • Payload length: length of the data
  • Next header: indicates what to expect next
  • Hop Limit: number or routers that the packet is allowed to travel through before being discarded
  • Source Address
  • Destination Address
28
Q

IPv6 Attack: Covert Channel of Communication

A 
- traffic class and flow label can be used by an attacker to establish a covert channel of communication
-
29
Q

IPv6 Attack: IPS evasion using Extension Header

A
  • A high number of EH (Extension Headers) sent in a single unfragmented datagram could be an indication of IDS evasion
30
Q

IPv6 Fragmentation

A
  • The unfragmentable part is the IPv6 header and IPv6 EH (extension headers)
  • The fragmentable part is the rest of the packet
  • Each fragment consists of:
    • the unfragmentable part
    • the fragment header
    • the fragment itself
31
Q

IPv6 Fragmentation Threats

A
  • DoS by sending a high number of incomplete fragment sets

- IDS/IPS evasion by sending overlapping or nested fragments

32
Q

IPv6 Tunneling

A
  • IPv6 Tunnels can be detected inside network logs or NetFlow records
    • IPv4 protocol type 41 (ISATAP, 6to4 traffic)
    • IPv4 to UDP 3544 (Teredo traffic)
    • Traffic to 192.88.99.1 (6to4 traffic)
    • DNS server log: resolution of “ISATAP”
33
Q

How large is a MAC address?

A
  • 6 bytes
34
Q

What are the two parts of a MAC address?

A
  • 1st part: OUI

- 2nd part: network interface specific identifier

35
Q

What is used in IPv6 instead of ARP?

A
  • Neighbor solicitation is used to request a MAC address associated with a given IPv6 address
  • Neighbor Advertisement is used for sending the response
36
Q

How large is an IPv4 address?

A
  • 32 bits
37
Q

How large is an IPv6 address?

A
  • 128 bits
38
Q

When is ARP used?

A
  • when two hosts reside in the same local network and want to communicate
  • if the two hosts reside on different physical segments, traffic will be routed via the Internet layer first, and then passed to the network access layer
39
Q

MAC Flooding

A
  • forces switches to behave like a hub and then forward frames on all ports
  • meant to stress the switch and fill its CAM table
  • CAM tables keep all the required information to forward frames to the correct port
  • when the space in the CAM table is filled with fake MAC addresses, the switch cannot learn new MAC addresses
  • the only way to keep the network alive is to forward the frames meant to be delivered to the unknown AMC addresses on all the ports of the switch, thus making it fail open, or act like a hub.
40
Q

What are the types of 802.11 packets?

A
  • Management
  • Control
  • Data
41
Q

Management packets

A
  • connectivity between hosts at layer 2 is based on these packets
  • There are three subtypes:
    • authentication packets
    • association packets
    • beacon packets
42
Q

Control packets

A
  • delivery of packets is enabled by these packets
  • congestion is also regulated by these packets
  • There are two subtypes:
    • request-to-send packets
    • clear-to-send packets
43
Q

Data packets

A
  • these packets are the actual data containers

- they are the only packets that can be passed from the wireless to the wired network

44
Q

Beacon packets

A
  • management packet subtype
  • broadcasted from a wireless access point to inform other listening wireless clients of its existence and its connection requirements
45
Q

Management packet header fields

A
  • timestamp
  • beacon interval
  • capabilities information
  • SSID parameter set
  • supported rates
  • DS parameter set
46
Q

How can attackers use IPv4 packets to check firewall and IDS reactions?

A
  • by using invalid IP versions in the packet (ex. IP7)
47
Q

How can the Source IP in a IPv4 packet be an indicator of a malicious packet?

A
  • incoming traffic to your network should have a Source IP that does not belong to your network; it if does it is probably crafted
  • outgoing traffic from your network should have a Source IP that belongs to your network; if it does not the address might be spoofed
48
Q

What is fragmentation?

A
  • dividing a packet whose size is greater than the MTU (Maximum Transmission Unit) into equal-sized packets
  • performed by a router or the sending host itself
49
Q

How can attackers introduce difficulties in the reassembling procedure by the IDS/IPS?

A
  • crafted fragmented packets with identical offsets but different payloads
  • crafted packets arriving with a great time difference
    • EX: If the IDS/IPs, due to performance limitations, doesn’t wait as long as the destination does for a fragment to arrive, a delayed fragment containing a malicious payload could evade it and exploit the destination
50
Q

IPv6 Concern: The number of EHs is not limited; what is the corresponding threat?

A
  • high number of EHs could be used for FW/IDS/IPS evasion
51
Q

IPv6 Concern: The number of options (Hop-by-Hop or Destination) w/in an Options Header; what is the corresponding threat?

A
  • High number of EHs could be used to cause DoS to the destination
52
Q

IPv6 Concern: There is no defined order of EHs; what is the corresponding threat?

A
  • Manipulation/fuzzing of the EHs could be used to cause DoS to the destination
53
Q

IPv6 Concern: EH have different formats; what is the corresponding threat?

A
  • an attacker could use EHs for stealthy payload exchanges or covert communications
54
Q

What is the only value that should be used to determine reassembly of fragmented packets?

A
  • the Next Header value of the IPv6 Fragment Extension header
55
Q

IPv6 Network Discovery Attacks (2 examples)

A
  1. an attacker on the same local network can tamper with a returned NA (neighbor advertisement) spoofing an address, after a Neighbor Solicitation (NS) request is sent; this is the equivalent of ARP poisoning in IPv4
  2. an attacker can craft an NS request containing the fake IPv6 host address/link layer pairing. Listening neighbors will introduce this ill-intended pairing in their neighbor cache; this is the equivalent of abused Gratuitous ARP in IPv4
56
Q

What is a defense against network discovery attacks?

A
  • SEND (Secure Neighbor Discovery)

- ensures message integrity

57
Q

What command allows you to display all Suricata rules?

A
  • ls -lah /etc/suricata/rules

Certified Incident Responder (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions