OSI Model and Network Protocols

Question 1

Describe Layer 1 (Physical) in the OSI Model

Answer 1

This layer deals with the hardware of networks such as cabling. It defines the mechanical and electrical standards of interface devices and the types of cables used to transmit digital signals (e.g. optical fiber, coaxial cable, wireless, etc.).

Question 2

Describe Layer 2 (Data Link) of the OSI Model

Answer 2

This layer receives data from the physical layer and compiles it into a transform form called framing or frame. The principal purpose of this layer is to detect transfer errors by adding headers to data packets.

Question 3

Describe layer 3 (Network) of the OSI Model

Answer 3

This is the most important layer of the OSI model, which performs real time processing and transfers data from nodes to nodes. Routers and switches are the devices used for this layer that connects the notes in the network to transmit and control data flow.

Question 4

Describe Layer 4 (Transport) of the OSI Model

Answer 4

The transport layer works on two determined communication modes: Connection oriented and connectionless. This layer transmits data from source to destination node. This layer includes TCP, responsible for reliable and correctly ordered packets, congestion control and others.

Question 5

Describe Layer 5 (Session) of the OSI Model

Answer 5

This layer allows users on different machines to establish active communications sessions between them. It is responsible for establishing, maintaining, synchronizing, terminating sessions between end-user applications. Session Layer, which is the 5th layer in the OSI model, uses the services provided by The transport layer, enables applications to establish and maintain sessions and to synchronize the sessions.

Question 6

Describe Layer 6 (Presentation) of the OSI Model

Answer 6

Within the service layering semantics of the OSI network architecture, the presentation layer responds to service requests from the application layer and issues service requests to the session layer through a unique presentation service access point (PSAP).

The presentation layer ensures the information that the application layer of one system sends out is readable by the application layer of another system. On the sending system it is responsible for conversion to standard, transmittable formats. On the receiving system it is responsible for the translation, formatting, and delivery of information for processing or display.

Question 7

Describe Layer 7 (Application) of the OSI Model

Answer 7

This layer provides several ways for manipulating the data (information) which actually enables any type of user to access network with ease. This layer also makes a request to its bottom layer, which is presentation layer for receiving various types of information from it. The application layer is actually an abstraction layer that specifies the shared protocols and interface methods used by hosts in a communication network.

Question 8

Name common protocols in Layer 1 of the OSI model

Answer 8

Bluetooth, IEEE.802.11, IEEE.802.3, L431 and TIA 449, PON, OTN, DSL

Question 9

Name common protocols in the Data Link OSI Layer

Answer 9

802.1x, EAPOL, CDP, Spanning Tree Protocol, Token Ring, ARP, CSLIP, HDLC, IEEE.802.3, PPP, X-25, SLIP, ATM, SDLS and PLIP.

Question 10

Name common protocols in the Network OSI layer

Answer 10

ICMP, IPSec, OSPF, EIGRP, IPV4/6

Question 11

Name common protocols in the Transport OSI Layer

Answer 11

TCP, UDP, Variations thereof.

Question 12

Name common protocols in the Session OSI Layer

Answer 12

NETBios, SOCKS, RTCP, PPTP

Question 13

Name Common Protocols in the Presentation OSI Layer

Answer 13

SSL, HTTP, FTP, AppleTalk Filing Protocol, Telnet, SSH

Question 14

Name common protocols in the application layer

Answer 14

HTML, Markdown, FTP, SNMP, DNS, NFS, POP - all the good ones.

Question 15

Describe CDP

Answer 15

CDP is a layer 2 protocol that is used by Cisco and CDP compatible hardware to inform hardware ‘neighbours’ of information that may include: operating system version, hostname, every address (i.e. IP address) from all protocol(s) configured on the port where CDP frame is sent, the port identifier from which the announcement was sent, device type and model, duplex setting, VTP domain, native VLAN, power draw (for Power over Ethernet devices), and other device specific information - it can also include routing information, to save normal routing packets being sent

this information can be queried via SNMP and the CDP ‘show cdp neighbors’ command on Cisco hardware.

CDP sends data out to a ‘multicast’ MAC address - 01:00:0c:cc:cc:cc

yersinia causes DoS
- Simply sending CDP packets with bogus data simulating real Cisco devices. The target device will begin to allocate memory in its CDP table to save the new neighbor information, but without knowing that it is going to have thousands or millions of new friends.

Question 16

Describe STP

Answer 16

The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. As the name suggests, STP creates a spanning tree that characterizes the relationship of nodes within a network of connected layer-2 bridges, and disables those links that are not part of the spanning tree, leaving a single active path between any two network nodes.

• no authentication
• can manipulate process to cause constant reconfiguration state, leading to a dos
• flood network with BPDU (update packets) leading the network to constantly reconfigure itself
• yersinia

Taking over a root bridge is probably one of the most disruptive attacks. By default, a LAN switch takes any BPDU sent from Yersinia at face value. Keep in mind that STP is trustful, stateless, and does not provide a solid authentication mechanism. The default STP bridge priority is 32768. Once in root attack mode, Yersinia sends a BPDU every 2 sec with the same priority as the current root bridge, but with a slightly numerically lower MAC address, which ensures it a victory in the root-bridge election process

Question 17

Describe the VLAN 802.1q protocol

Answer 17

A protocol used to segregate networks into smaller logical chunks by ensuring ethernet packets are ‘tagged’ with a 4 byte VLAN ID, it supports up to 4096 VLANS. The VLAN tag is inserted between the source MAC address and the Type/Length fields in the Ethernet frame

Question 18

Describe 802.1x

Answer 18

allows authentication via credentials of a device accessing the network, prevents wider network access prior to authentication.

Take user credentials provided by the client device to the switch/whatever, and forwards it on to a RADIUS server where authentication can be verified.

Question 19

Describe the difference between Distance vector and link state routing protocols

Answer 19

Distance vector protocols can measure the distance—called hops—it takes data to arrive at its destination within a system or application. The number of hops refers to the specific number of routers the data may run through before reaching its ultimate destination.

Link state protocols also find the best routing path and also share information with nearby routers. However, they calculate the speed and the cost of resources associated with each potential path. For example, if a route is longer, it may cost more for the data to be copied additional times. Link state routers are updated from all the routers in the entire network by passing information from router to nearest router.

Rather than continuously broadcast its routing tables as does a distance vector protocol, a link state protocol router only notifies its neighboring routers when it detects a change.

Question 20

subnet mask of a Class A network?

Answer 20

/8 or 255.0.0.0

Question 21

subnet mask of a Class B network?

Answer 21

/16 or 255.255.0.0.

Question 22

Subnet mask of a Class C network

Answer 22

/24 or 255.255.255.0

Question 23

first octet of class A network?

Answer 23

1 to 126

Question 24

first octet of class B network?

Answer 24

128 to 191

Question 25

first octet of class C network?

Answer 25

192 to 223

Question 26

first octet of class D network?

Answer 26

224 to 239

Question 27

first octet of class E network?

Answer 27

240 to 254

Question 28

link-local IPV4 addresses subnet

Answer 28

169.254.0.0/16

Question 29

IPv6 link local subnet?

Answer 29

fe80::/10

Question 30

bits in IPv6?

Answer 30

128

Question 31

bits in IPv4?

Answer 31

32

Question 32

number of hosts in /25?

Answer 32

126

Question 33

number of addresses in /28

Answer 33

16

Question 34

number of addresses in /22

Answer 34

512

Question 35

number of hosts in a /28

Answer 35

14 - 1 reserved for broadcast, 1 reserved for network address

Question 36

Name protocols used with 802.1x to secure credentials sent over the network

Answer 36

EAP-TLS,
PEAP-MSCHAPV2,
EAP-TTLS/PAP

Question 37

Describe VTP

Answer 37

VLAN TRunk Protocol
Cisco proprietary protocol
used to propagate VLAN information through the network.
can be sent over 802.1Q, and ISL trunks.

Using VTP, each Catalyst Family Switch advertises the following on its trunk ports:

• Management domain
• Configuration revision number
• Known VLANs and their specific parameters

Yersinia has DoS for VTP, and potentially can be used to add or remove VLANS
- A malicious hacker exploits VTP to his advantage by connecting into a switch and establishing a trunk between his computer and the switch. (See the earlier “VLAN Hopping” section for more on establishing a trunk.) A malicious hacker then sends a VTP message to the switch with a higher configuration revision number than the current VTP Server but with no VLANs configured. This causes all switches to synchronize with the computer of the malicious hacker, which removes all nondefault VLANs from their VLAN database.

Question 38

Describe HSRP

Answer 38

Hot Standby Router Protocol
Cisco proprietary redundancy protocol
The protocol establishes an association between gateways in order to achieve default gateway failover if the primary gateway becomes inaccessible.

The primary router with the highest configured priority will act as a virtual router with a pre-defined gateway IP address and will respond to the ARP or ND request from machines connected to the LAN with a virtual MAC address. If the primary router should fail, the router with the next-highest priority would take over the gateway IP address and answer ARP requests with the same MAC address, thus achieving transparent default gateway failover.

default authentication data (think SNMP key): cisco

• any HSRP-capable device can advertise a high priority value and take over as the active router.
• DoS opportunity, maybe MITM - but yersinia isn’t good at it.
• There are two open-source software tools that you can use to perform a DoS attack: Scapy and Yersinia.

https://andrewroderos.com/attacking-hsrp/

Question 39

Describe VRRP

Answer 39

• The Virtual Router Redundancy Protocol (VRRP) is a computer networking protocol that provides for automatic assignment of available Internet Protocol (IP) routers to participating hosts.
• layer 2
• VRRP is an election protocol that dynamically assigns the Virtual IP to one of the routers of the VRRP Group. The Routers operate in a local area network. the Updates are not forwarded beyond the local subnet. Hence it is a layer-2 protocol.
• A host within the same subnet could just spoof VRRP packets and disrupt service.
• the master router is the router with the highest self-assigned ‘priority’ value. By creating a VRRP service with a higher priority, an attacker could become the master (primary router)
• leads to a MITM
• An attack on VRRP is not just theoretical. A tool called Loki allows you to take over the virtual IP-address and become the master router. This will allow you to create a DoS or sniff all traffic.

Question 40

Describe TACACS+

Answer 40

• Terminal Access Controller Access-Control System (TACACS) refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server.
• (TACACS+) is a protocol developed by Cisco and released as an open standard
• port 49
• headers not encrypted, body of messages are
• traffic is encrypted with a pre-shared key + previous message headers
• PSK is static across all devices with access to that TACACS+ server
• with enough TACACS+ traffic, you can bruteforce the PSK, as all other components are broadcast in plaintext
• no integrity checking on encrypted messages
• result of user authentication sent from TACACS+ server to the device authenticated to is always in the same place
• if you can get the encryption key using above method, you can then modify the result sent from central TACACS+ server to authenticating device, and use any credentials to auth to the device.
• can use ‘tacflip’ tool and MITM attack to authenticate with invalid credentials.

Question 41

Describe the difference between CAT5 and Fibre

Answer 41

The Ethernet calling usually consists of copper cable so basically cat5e, cat 6, cat 6a consists of Ethernet cabling. Multiple outlets are connected to a patch panel (usually 24 Port but sometimes even 48 port) this panel is connected in turn to a routing mechanism called switch.

Fiber is usually used as a backbone cable. It used to connect multiple switches to each other to provide the high bandwidth required and also overcome the distance limitation posed by copper cable.

There’s a new technology which is in design called fiber to desk. It’s a solution where fiber well directly terminate on the laptop or PC. But fiber is fragile compared to copper cable, hence this tech is still in it’s infancy.

Question 42

Describe 10/100/1000baseT

Answer 42

10/100/1000 Base-T An Ethernet connection method using twisted pair cables and operating at 10, 100, or 1000 Mbps. A star connection topology is used with the individual cables terminating at a hub, switch, or router.

Question 43

Describe Token ring

Answer 43

Token Ring protocol is a communication protocol used in Local Area Network (LAN). The stations are connected to one another in a single ring. It uses a special three-byte frame called a “token” that travels around a ring. It makes use of Token Passing controlled access mechanism. Frames are also transmitted in the direction of the token. This way they will circulate around the ring and reach the station which is the destination.

basically the network is a circle and all hosts are just connected to the device before and after them in the circle. packets go round the circle until they reach their destination.

Question 44

Describe Wireless (802.11)

Answer 44

IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer communication.

IEEE 802.11 uses various frequencies including, but not limited to, 2.4 GHz, 5 GHz, 6 GHz, and 60 GHz frequency bands. Although IEEE 802.11 specifications list channels that might be used, the radio frequency spectrum availability allowed varies significantly by regulatory domain.

Question 45

Describe RIP

Answer 45

The Routing Information Protocol (RIP) is one of the oldest distance-vector routing protocols which employs the hop count as a routing metric.

The largest number of hops allowed for RIP is 15, which limits the size of networks that RIP can support.

In RIPv1 routers broadcast updates with their routing table every 30 seconds.

RIP uses the User Datagram Protocol (UDP) as its transport protocol, and is assigned the reserved port number 520.

(MD5) authentication for RIPv2 was introduced in 1997.

Question 46

Describe EIGRP

Answer 46

Enhanced Interior Gateway Routing Protocol (EIGRP) is EIGRP is a distance vector & Link State routing protocol that is used on a computer network for automating routing decisions and configuration. The protocol was designed by Cisco Systems as a proprietary protocol.

MD5 and SHA-2 authentication between two routers.

Sends topology changes, rather than sending the entire routing table when a route is changed.

Periodically checks if a route is available, and propagates routing changes to neighboring routers if any changes have occurred.