Network Attacks

Question 1

What’s the difference between a hub and a switch network?

Answer 1

Hub sends all incoming data to all nodes; nodes ignore if not addressed to them.

Switches know which connection goes to which node, so sends packets to the right node.

Question 2

What is the OSI 7 Layer Model?

Answer 2

1. Application
2. Presentation
3. Session
4. Transport
5. Network
6. Data Link
7. Physical

Question 3

What is TCP/IP?

Answer 3

Transmission Control Protocol / Internet Protocol is a set of networking protocols that allows two or more computers to communicate.

Question 4

What is a socket?

Answer 4

Socket bound to a port that the TCP layer can identify the application that data is destined to be sent to.

Question 5

What is port spoofing?

Answer 5

Port spoofing is using different ports meant for acceptance of other data.

If security infrastructure only determines traffic legitimacy by port, they won’t notice port spoofing.

Question 6

What is deep packet inspection?

Answer 6

Used to locate, identify, classify, reroute or block packet with specific data or code payloads that conventional packet filtering cannot detect.

Question 7

What is port scanning?

Answer 7

A process which checks a host ports to see which are open, closed or filtered and listens to data arriving at and leaving a port.

Question 8

What are some basic scans?

Answer 8

• Zenmap Quick Scan
• TCP Connect Scan
• Specific Port Scan

Question 9

What is TCP Connect() Scan?

Answer 9

• Known as Vanilla scan
• If port is reachable, connect for further probing.
• Very noisy and will get logged.

Question 10

What are pros & cons of TCP Connect() scan?

Answer 10

Pros: no special privileges required, accurate in determining TCP services, can find open, closed & filtered ports

Cons: slow, easily detected

Question 11

What is half open scan?

Answer 11

Immediately end connection using RST packet but port remains open.

Question 12

What are pros & cons of a TCP SYN scan?

Answer 12

Pros: faster, stealthy & find open, closed and filtered ports

Cons: requires privilege, and some firewalls watch for SYNs to restricted ports.

Question 13

What are five of the advanced port scanning techniques?

Answer 13

• Random
• Slow
• Fragmentation
• Decoy
• Coordinated

Question 14

What is fragmentation scan?

Answer 14

All IP packets that carry data can be fragmented, so we split probe packets into several IP fragments, firewalls may assume this fragment was allowed before already, so let through.

Advantage: difficult to detect scan

Disadvantage: not working on all OS, can crash firewalls.

Question 15

What is a decoy scan?

Answer 15

Scanning by spoofing multiple addresses so the server does not know who is the actual scanner.

Question 16

What is packet sniffing?

Answer 16

It is a technique whereby packet data flowing across the network is detected and observed.

Question 17

What is passive sniffing?

Answer 17

It is for hub networks where you rely on the promiscuous mode feature of a network interface controller to sniff packets since all packets are transmitted to every node.

Question 18

What is active sniffing?

Answer 18

It is for switch networks where an attacker spoofs the ARP reply to cause network switch to push traffic meant for one node to the attacker node.

Question 19

What is Address Resolution Protocol?

Answer 19

Primarily used to translate IP address to Ethernet MAC addresses; each host maintains a table (ARP cache) of IP to MAC addresses.

Consists of request & reply message type with NO authentication so request & replies can be forged.

Question 20

What is ARP poisoning?

Answer 20

A forged ARP reply is sent to source of ARP request; source computer ARP cache is updated with forged entry.

By spoofing network switch, all hosts on subnet will route through the attacker’s machine; otherwise you have to poison ARP cache of every host on the subnet.

Question 21

What are the 3 ways to ARP poison?

Answer 21

• Broadcast Request
• Request Response
• Unsolicited Response