Lesson 19: Applying Network Hardening Techniques

Question 1

Define enumeration

Answer 1

The process of extracting user names, machine names, network resources, shares and services from a system.

Question 2

What are two types of enumeration attacks?

Answer 2

1. Footprinting
2. Fingerprinting

Question 3

Define footprinting enumeration

Answer 3

Bad actor discovery tactic detecting topology and infrastructure to find indicators of compromise.

Question 4

Define fingerprinting enumeration

Answer 4

Bad actor discovery tactic detecting software, network protocols, operating systems, or hardware devices on the network to find indicators of compromise.

Question 5

What is the basic definition of a spoofing attack?

Answer 5

Attack technique where the threat actor disguises their identity or impersonates another user or resource.

Question 6

What are different types of spoofing attacks?

Answer 6

1. Phishing/Pharming
2. Packet/protocol spoofing (ARP/DNS/IP/MAC)
3. Man-in-the-Middle (MitM); On-path attack
4. Rouge DHCP

Question 7

Define a denial of service (DoS) attack

Answer 7

Deliberate attempt to make a website/application or network unavailable to users, by flooding it with network traffic.

Question 8

What are the typical effects of a denial of service (DoS) attack?

Answer 8

1 . Resource exhaustion (CPU/RAM/etc.)
2. exploit vulnerabilities in application software/hardware

Question 9

How can a denial of service (DoS) attack be manipulated?

Answer 9

A blinding attack using DoS to divert attention and resources from the real target

Question 10

What is the new term for a Man-in-the-Middle (MitM) attack?

Answer 10

On-path attack

Question 11

Define an on-path (Man-in-the-middle) attack

Answer 11

Attacker relays and possibly alters the communications between two parties.

Question 12

Define the process of MAC/IP spoofing

Answer 12

Altering the MAC/IP address of their device to mimic that of a legitimate device present on the network

Question 13

What is the role of IP spoofing in a denial of service (DoS) attack?

Answer 13

To mask the origin of the attack and make it harder for the target system to block packets from the attacking system.

Question 14

Define ARP spoofing

Answer 14

Bad actor sends fake ARP packets that link an attacker’s MAC address with an IP of a computer already on the LAN.

Question 15

Define ARP poisoning

Answer 15

After a successful ARP spoofing, a hacker changes the company’s ARP table, so it contains falsified MAC maps.

Question 16

What is a potential cause of an ARP poisoning attack directed at a default gateway?

Answer 16

All traffic destined for remote networks will be sent to the attacker.

Question 17

Define a rouge DHCP server and its function

Answer 17

Attacker sets their machine as the subnets default gateway or DNS server to intercept traffic

Question 18

Define DNS poisoning and its purpose

Answer 18

Attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker’s choosing.

Question 19

Define VLAN hopping

Answer 19

Exploiting a misconfiguration to direct traffic to a different VLAN without authorization.

Question 20

How is VLAN hopping performed?

Answer 20

Attacker crafts a frame with two VLAN tag headers. The first trunk switch to inspect the frame strips the first header, and the frame gets forwarded to the target VLAN.

Question 21

What is another way to perform VLAN tagging

Answer 21

Attaching a device that spoofs the operation of a switch to the network and negotiating the creation of a trunk port. As a trunk port, the attacker’s device will receive all inter-VLAN traffic.

Question 22

What is one way VLAN tagging be mitigated?

Answer 22

Ensuring that the native VLAN uses a different ID compared to any user accessible VLAN

Question 23

What is another way VLAN tagging can be mitigated?

Answer 23

Ensuring that trunk ports are pre-determined in the switch configuration and that access ports are not allowed to auto-configure as trunk ports.

Question 24

Define a rouge access point

Answer 24

One that has been installed on the network without authorization.

Question 25

Define an evil twin

Answer 25

A rogue AP masquerading as a legitimate AP deceiving users into believing that it is a legitimate network access point.

Question 26

What is the purpose/function of an evil twin AP?

Answer 26

To harvest authentication information

Question 27

What is a method to prevent a rouge AP?

Answer 27

Using EAP-TLS security authentication server and clients perform mutual authentication.

Question 28

What network/security appliances can detect rouge APs?

Answer 28

Wireless intrusion detection system (WIDS) or wireless intrusion prevention system (WIPS)

Question 29

Define a deauthentication attack

Answer 29

Type of denial-of-service attack that targets communication between a client and AP

Question 30

How can deauthentication attacks be mitigated?

Answer 30

The wireless infrastructure supports Management Frame Protection - AP and clients must both support the MFP protocol

Question 31

Define a distributed DoS (DDoS) attack

Answer 31

Involves the use of infected Internet-connected computers and devices to disrupt the normal flow of traffic to a server or service by overwhelming the target with traffic.

Question 32

Define a SYN flood attack

Answer 32

Type pf DDoS attack that exploits the 3-way handshake by flooding the target with SYN connection request packets with fake IPs causing the server to temporarily maintain a new open port connection for a certain length of time.

Question 33

Define a botnet

Answer 33

Group of hosts or devices that have been infected by a control program called a bot that enables attackers to exploit the hosts to mount attacks.

Question 34

How is a botnet created?

Answer 34

A threat actor will first compromise one or two machines to use as handlers; handlers are used to compromise a number of zombie hosts with DoS tools create the botnet.

Question 35

Once a botnet is created, what is the network between the bots and the handler defined as?

Answer 35

command and control (C-and-C or C2) network.

Question 36

What is the basic definition of malware?

Answer 36

Software that serves a malicious purpose, typically installed without the user’s consent/knowledge.

Question 37

What are different types of malware?

Answer 37

1. Viruses/worms
2. Trojans
3. Potentially unwanted programs (PUPs)/Potentially unwanted applications (PUAs)
4. Ransomeware

Question 38

Define a trojan malware

Answer 38

Malware concealed within an installer package for software that appears to be legitimate.

Question 39

Define a Potentially unwanted programs (PUPs)/Potentially unwanted applications (PUAs)

Answer 39

Software installed alongside a package selected by the user or perhaps bundled with a new computer system.

Question 40

Define a payload in the context of malware

Answer 40

An action performed by the malware other than simply replicating or persisting on a host

Question 41

What are some of the different payloads delivered by malware?

Answer 41

Spyware, rootkit, remote access Trojan (RAT) or backdoor, and ransomware

Question 42

Define ransomware and its purpose

Answer 42

Malware that tries to extort money from the victim by encrypting the victim’s files and demanding payment.

Question 43

Define a dictionary password attack

Answer 43

Compares encrypted password hash values against a predetermined list of possible password values.

Question 44

Define a brute force password attack

Answer 44

An attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.

Question 45

How can passwords be intercepted on a network?

Answer 45

If a protocol uses cleartext credentials, sniffing the network for the weak protocol can produce unencrypted passwords.

Question 46

Define social engineering and its purpose

Answer 46

Use deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines.

Question 47

Define a phishing attack

Answer 47

A combination of social engineering and spoofing in which the attacker sends email from a supposedly reputable source, to try to obtain sensitive information or install malicious software.

Question 48

Define shoulder surfing

Answer 48

Social engineering tactic to obtain someone’s password or PIN by observing a person as they type it in.

Question 49

Define tailgating

Answer 49

Social engineering technique to gain access to a building by following someone who is unaware of their presence.

Question 50

Define piggybacking

Answer 50

Social engineering tactic when the attacker convinces an employee to allow them to enter into a secure area.

Question 51

Define device hardening

Answer 51

Process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a patching schedule.

Question 52

List the common hardening policies/tactics

Answer 52

1. Change default passwords
2. Enforce password complexity/length
3. Role-based access
4. Uninstall unneeded services
5. Disable unsecure/unneeded protocols

Question 53

What is the suggested password length?

Answer 53

8 characters for user passwords, 14 characters for service accounts.

Question 54

Define MAC filtering and its purpose

Answer 54

Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

Question 55

What switch configuration helps prevent ARP poisioning?

Answer 55

Dynamic ARP inspection (DAI)

Question 56

What switch configuration helps prevent spoofing of the switch’s MAC as well as rouge DHCP servers?

Answer 56

DHCP Snooping

Question 57

How does DHCP snooping funciton?

Answer 57

Inspects DHCP traffic to only trust DHCP offers from trusted ports and blocks untrusted DHCP offers from unauthorized sources.

Question 58

As Dynamic ARP Inspection (DAI) and DHCP Snooping are to IPv4, what is their equivalent in IPv6?

Answer 58

Neighbor Discovery (ND) Inspection and Router Advertisement (RA) Guard.

Question 59

Define Port-Based Network Access Control (PNAC)

Answer 59

The switch performs some sort of authentication of the attached device before activating the port.

Question 60

How does Port-Based Network Access Control (PNAC) perform authentication?

Answer 60

The device requesting access is the supplicant, the switch, referred to as the authenticator, enables the Extensible Authentication Protocol over LAN (EAPoL) protocol only and waits for the device to supply authentication data, the authenticator passes this data to an authenticating server

Question 61

Once access it granted when Port-Based Network Access Control (PNAC) is enabled, how does the switch allow network access?

Answer 61

Configure the port to use the appropriate VLAN and enable it for ordinary network traffic

Question 62

If access is denied when Port-Based Network Access Control (PNAC) is enabled, how does the switch configured network access?

Answer 62

Unauthenticated hosts may be denied any type of access or be placed in a guest VLAN with only limited access to the rest of the network.

Question 63

Define a virtual LAN (VLAN) and its purpose

Answer 63

A VLAN isolates Layer 2 broadcast traffic to switch ports that are configured with the same VLAN ID; Deployed to enforce segmentation policies by mapping each VLAN ID to a subnet forcing a router of L3 switch to forward traffic between VLANs.

Question 64

Define a private VLAN (PVLAN) and its purpose

Answer 64

Method of isolating hosts to prevent hosts within the same VLAN from communicating directly.

Question 65

How is a primary VLAN referred to as when configuring a private VLAN (PVLAN)?

Answer 65

The “host” VLAN is referred to as the primary VLAN.

Question 66

What are the 3 different port configurations when configuring the primary of a private VLAN (PVLAN)?

Answer 66

1. Promiscuous port
2. Isolated port
3. Community port

Question 67

What is the function/purpose of a promiscuous port?

Answer 67

Can communicate with all ports in all domains within the PVLAN. This is normally the port through which routed and/or DHCP traffic is sent.

Question 68

What is the function/purpose of a isolated port?

Answer 68

Can communicate with the promiscuous port only. This creates a subdomain of a single host only. The PVLAN can contain multiple isolated ports, but each is in its own subdomain.

Question 69

What is the function/purpose of a community port?

Answer 69

Can communicate with the promiscuous port and with other ports in the same community. This creates a subdomain that can contain multiple hosts.

Question 70

Define a default VLAN

Answer 70

Default VLAN ID (1) for all unconfigured switch ports, and unless configured, all switch ports belong to the default VLAN

Question 71

What is best practice for the default VLAN?

Answer 71

Avoid sending user data traffic over the default VLAN. It should remain unused or used only for inter-switch protocol traffic, where necessary.

Question 72

Define a native VLAN

Answer 72

VLAN ID used for any untagged frames received on a trunk port.

Question 73

Define the purpose of a native VLAN

Answer 73

When a switch receives an untagged frame over a trunk, it assigns the frame to the native VLAN.

Question 74

What is best practice for the native VLAN?

Answer 74

The same ID should be used on both ends of the trunk and the ID should not be left as the default VLAN ID (1).

Question 75

How are the rules process in an access control list (ACL)?

Answer 75

From top to bottom; If traffic matches a rule that allows the packet, then it will be processed based on the action configured in the rule; if traffic reaches the bottom, it should be blocked.

Question 76

What is best practice for the structure of a firewall’s ACL?

Answer 76

1. The most specific rules are placed at the top
2. The final default rule is typically to block any traffic that has not matched a rule (implicit/explicit deny)

Question 77

Define the purpose of an implicit deny

Answer 77

Firewall ACL rule configured by default to block any traffic not matched by previous rules.

Question 78

Define an explicate deny

Answer 78

Firewall ACL rule configured manually to block any traffic not matched by previous rules.

Question 79

Define a (5-)tuple

Answer 79

a 5-tuple is a collection of 5 values that identify a TCP/IP connection

Question 80

How are ACL rules structured?

Answer 80

Rule can execute a configured action (deny/allow/drop) based on parameters/5-tuples

Question 81

What are the parameters in a 5-tuple?

Answer 81

1. Protocol
2. Source IP
3. Source Protocol
4. Destination address
5. Destination port
6. etc if necessary

Question 82

What is the Linux command line utility for configuring the kernel firewall?

Answer 82

iptables

Question 83

How does iptables process traffic?

Answer 83

Operates with firewall chains, which are different types of traffic passing through the system.

Question 84

What are the main firewall chains in iptables?

Answer 84

1. Input; incoming connections
2. Output; outgoing connections
3. Forward; routing/filtering

Question 85

What is the iptables commands to allow one IP address from a specific subnet to connect and block all others from the same subnet.

Answer 85

iptables -A INPUT -s x.x.x.1 -j ACCEPT
iptables -A INPUT -s x.x.x.x/24 -j DROP

Question 86

Define a route processor (RP) attack

Answer 86

Type of denial of service (DoS) attack when bad actor floods a gateway with high priority traffic to strain the routers main processor

Question 87

What is a method of mitigating a route processor (RP) attack?

Answer 87

control plane policing policy uses ACLs to allow or deny control traffic from certain sources and apply rate-limiting if a source threatens to overwhelm the route processor.

Question 88

Define pre-shared keys

Answer 88

Group authentication protocol allowing clients to connect to a network using a shared password/passphrase which is used to generate a pre-shared key

Question 89

What is the suggested length for a pre-shared key?

Answer 89

14 characters

Question 90

Define Extensible Authentication Protocol (EAP)

Answer 90

Authentication framework for securely passing authentication information between the supplicant (client) and the authentication server.

Question 91

How can devices be authenticated using Extensible Authentication Protocol (EAP)

Answer 91

A digital certificate issued to the authentication server is implemented the router protocol and installed on the device.

Question 92

Define a captive portal and its purpose

Answer 92

Landing page configured on guest network to authenticate guests after meeting set requirements from the landing page.

Question 93

Define geofencing

Answer 93

Security control to ensure that the station is within a valid geographic area to access the network.

Question 94

When performing a wireless site survey, what would be the indication of an evil twin rouge access point?

Answer 94

The presence of an unusually strong transmitter (30 dBm+).

Question 95

Define wireless client isolation and its purpose

Answer 95

AP configuration preventing wireless clients in the same broadcast domain from communicating by dropping peer-to-peer traffic and only allowing clients to communicate via the gateway.