Network Attacks Flashcards
What’s the difference between a hub and a switch network?
Hub sends all incoming data to all nodes; nodes ignore if not addressed to them.
Switches know which connection goes to which node, so sends packets to the right node.
What is the OSI 7 Layer Model?
- Application
- Presentation
- Session
- Transport
- Network
- Data Link
- Physical
What is TCP/IP?
Transmission Control Protocol / Internet Protocol is a set of networking protocols that allows two or more computers to communicate.
What is a socket?
Socket bound to a port that the TCP layer can identify the application that data is destined to be sent to.
What is port spoofing?
Port spoofing is using different ports meant for acceptance of other data.
If security infrastructure only determines traffic legitimacy by port, they won’t notice port spoofing.
What is deep packet inspection?
Used to locate, identify, classify, reroute or block packet with specific data or code payloads that conventional packet filtering cannot detect.
What is port scanning?
A process which checks a host ports to see which are open, closed or filtered and listens to data arriving at and leaving a port.
What are some basic scans?
- Zenmap Quick Scan
- TCP Connect Scan
- Specific Port Scan
What is TCP Connect() Scan?
- Known as Vanilla scan
- If port is reachable, connect for further probing.
- Very noisy and will get logged.
What are pros & cons of TCP Connect() scan?
Pros: no special privileges required, accurate in determining TCP services, can find open, closed & filtered ports
Cons: slow, easily detected
What is half open scan?
Immediately end connection using RST packet but port remains open.
What are pros & cons of a TCP SYN scan?
Pros: faster, stealthy & find open, closed and filtered ports
Cons: requires privilege, and some firewalls watch for SYNs to restricted ports.
What are five of the advanced port scanning techniques?
- Random
- Slow
- Fragmentation
- Decoy
- Coordinated
What is fragmentation scan?
All IP packets that carry data can be fragmented, so we split probe packets into several IP fragments, firewalls may assume this fragment was allowed before already, so let through.
Advantage: difficult to detect scan
Disadvantage: not working on all OS, can crash firewalls.
What is a decoy scan?
Scanning by spoofing multiple addresses so the server does not know who is the actual scanner.
What is packet sniffing?
It is a technique whereby packet data flowing across the network is detected and observed.
What is passive sniffing?
It is for hub networks where you rely on the promiscuous mode feature of a network interface controller to sniff packets since all packets are transmitted to every node.
What is active sniffing?
It is for switch networks where an attacker spoofs the ARP reply to cause network switch to push traffic meant for one node to the attacker node.
What is Address Resolution Protocol?
Primarily used to translate IP address to Ethernet MAC addresses; each host maintains a table (ARP cache) of IP to MAC addresses.
Consists of request & reply message type with NO authentication so request & replies can be forged.
What is ARP poisoning?
A forged ARP reply is sent to source of ARP request; source computer ARP cache is updated with forged entry.
By spoofing network switch, all hosts on subnet will route through the attacker’s machine; otherwise you have to poison ARP cache of every host on the subnet.
What are the 3 ways to ARP poison?
- Broadcast Request
- Request Response
- Unsolicited Response
