Network-Based Attacks

Question 1

What is a set of formal rules that describe the functionality of how to send and receive data?

Answer 1

A protocol

Question 2

What is a software implementation that executes the formal rules of a protocol for a specific computing platform?

Answer 2

A service

Question 3

Through what method does Linux implement protocols such as DNS?

Answer 3

Daemons

Question 4

Which Nmap enumeration script can assist with conducting cache snooping against an internal DNS server?

Answer 4

dns-cache-snoope.nse

Question 5

What kind of attack is characterized by an attacker knowing the websites an organization frequents, and infecting the webpage with malware?

Answer 5

Waterholing

Question 6

Which attack method is characterized by impersonating a victim’s DSN server, forcing them to navigate to a malicious website?

Answer 6

DNS spoofing

Question 7

Which attack method is characterized by overwriting the DNS resolver cache on a DNS server with a malicious web address, sending the user a malicious site instead of the intended one?

Answer 7

DNS cache poisoning

Question 8

What is a type of attack where a malicious device sends a false ARP message to other hosts on the network in an attempt to impersonate another machine, thus linking its MAC address with another host IP on the network?

Answer 8

ARP poisoning/spoofing

Question 9

What kinds of services does NetBIOS provide?

Answer 9

Protocol management, messaging, data transfer, hostname resolution

Question 10

Which protocol mimics the functionality of DNS for IPv4 and IPv6 hostname resolution for hosts operating on small networks, and what port does it operate on?

Answer 10

LLMNR, on port 5355/UDP

Question 11

Which tool is a Python script that acts as a poisoner for LLMNR, NBT-NS and MDNS and aids pentesters by poisoning name resolution and compromising usernames and hash values with a rogue authentication server?

Answer 11

Responder

Question 12

What sequence of protocols do most Windows hosts follow for hostname resolution?

Answer 12

Windows hosts will try DNS first, then LLMNR, and if that is unavailable, then NetBios Name Service (NBNS).

Question 13

What service do Microsoft Windows clients connect to to obtain and configure the automatic web proxy settings for Internet Explorer, and is a popular vector for Responder attacks?

Answer 13

WPAD (Windows Proxy Auto-Discovery Protocol)

Question 14

What are two methods to mitigate WPAD (Windows Proxy Auto-Discovery) protocol attacks?

Answer 14

1) Create an entry in your DNS server to point to your organization’s proxy server 2) Disable auto-detect settings in Internet Explorer, preferably with a group policy

Question 15

Which built-in tool in Responder allows you to perform relay attacks against NTLM?

Answer 15

Multi-Relay

Question 16

What are three attacks against user passwords?

Answer 16

Brute-Force & Dictionary Attacks, Password Spraying, and Hash Cracking

Question 17

Which password attack targets many users with a single, well-known password?

Answer 17

Password spraying

Question 18

What are the advantages and disadvantages of password spraying?

Answer 18

Advantages - less likely to trigger account lockouts, faster to go through 1,000 accounts with 1 or 2 passwords than a dictionary of 100 guesses. Disadvantages - heavily relies on luck and good education about how people think

Question 19

What kind of attack involves intercepting and collecting password hashes that are sent over the wire or found stored?

Answer 19

Hash Cracking

Question 20

Why do some vendors compute hashes for their software releases?

Answer 20

To give consumers confidence that the software they are downloading originated from a trusted source.

Question 21

What is the default hashing function for later revisions of Linux?

Answer 21

sha516crypt

Question 22

What kind of tool computes all the possible hash values for plaintext values, up to a certain length, and are typically tailored to specific hash requirements such as MD5 and SHA-1?

Answer 22

Rainbow table

Question 23

What kinds of tools help to increase the likelihood of successful password exploitation?

Answer 23

John The Ripper, Hashcat, Cain & Abel

Question 24

According to US-CERT, what is the most common stress testing attack method?

Answer 24

Flooding

Question 25

What kind of attack is made up of many Internet-connected computing devices that are used in conjunction to carry out coordinated tasks, such as DoS attacks

Answer 25

Botnet

Question 26

What two tools come pre-installed in Kali and allow a pentester to analyze network packets?

Answer 26

Wireshark and tcpdump

Question 27

What kind of Python program can assist you with packet manipulation by forging and decoding packets?

Answer 27

Scapy

Question 28

What is a protocol that is used to define a standard for how operating systems, processes, and applications generate messages or notifications?

Answer 28

Syslog

Question 29

What is a layer 2 protocol that runs on network devices and prevents looping in networks that have redundant paths by placing only one switch in forwarding mode?

Answer 29

Spanning Tree Protocol (STP)

Question 30

What is the Bridge Protocol Data Unit (BDPU)

Answer 30

Updates that are multicast between switches over the network every so often to determine if a port is in the forwarding or blocking state

Question 31

What is a type of VLAN hopping attack that occurs when an attacker can emulate a valid trunking switch on the network by speaking 802.1Q.

Answer 31

Switch spoofing

Question 32

How can you mitigate switch spoofing attacks?

Answer 32

By preventing ports on a switch from negotiating trunks and configuring ports to be access ports.

Question 33

What kind of VLAN hopping attack occurs as a result of a switch port being configured to use native VLANs, where an attacker can craft a packet and prepend a false VLAN tag along with its native VLAN?

Answer 33

Double-tagging

Question 34

How can you mitigate double-tagging switch spoofing attacks?

Answer 34

By not associating any hosts to the native VLAN or by disabling the native VLAN on all trunk ports

Question 35

What are three methods a pentester can use to bypass Network Access Control (NAC)?

Answer 35

Violating trust relationships, exploiting implementation weaknesses, or taking advantage of configuration weaknesses

Question 36

What is a native Exploit-DB command-line tool in Kali Linux that lets you search for known exploits?

Answer 36

Searchsploit

Question 37

What is the implementation of CIFS (Common Internet File System) that allows file and print sharing among Windows and Unix systems?

Answer 37

Samba

Question 38

What separates NFS3 from previous versions of NFS?

Answer 38

NFSv3 and earlier will will map numeric UIDs and GIDs to files and directories on the NFS file system. When you mount an NFS share from a client using NFSv3, you will see the UID or GID in place of a username or group because your local operating system cannot map to them, either because you are not on the domain or the user does not exist.

Question 39

Your Nmap scan identifies port 445/tcp open on a Windows server with one of the common shares available and accessible anonymously. This share allowed the scanner to enumerate additional users and services on the domain. Which network share were you likely to have enumerated during the scan?

Answer 39

IPC$. IPC$ is a null session connection which Microsoft allows anonymous users to do things like enumerate users and network shares.

Question 40

Which command flag tells hping3 to use a random-source IP address?

Answer 40

–rand-source