Pentest+ Practice Exam Chapter 7 Network Based Attacks (Jonathan Ammerman) Flashcards
Which name resolution service serves internal and external networks, providing resolution for requests sent to port 53/UDP and zone transfers over port 53/TCP? A. NetBIOS B. LLMNR C. nslookup D. DNS
D. DNS
Explanation:
DNS is a name resolution service that provides resolution for both internal and external networks, listening on 53/UDP and providing zone transfers over 53/TCP.
Which network-based attack consists of overwriting a name resolution cache with a malicious web address, resulting in targeted users visiting the malicious site rather than the one they intended to visit? A. DNS cache poisoning B. Waterholing C. ARP spoofing D. Relay attack
A. DNS cache poisoning
Explanation:
The attack described is DNS cache poisoning somestimes called DNS spoofing
Which tool, shown here, is used to conduct MiTM attacks against various protocols and services, such as DNS?
A. Ettercap
B. BeEF
C. Wireshark
D. TCPDump
A. Ettercap
Explanation:
The tool shown is Ettercap. Ettercap is primarily used to conduct man-in-the-middle attacks against various network protocols, such as DNS, ARP, FTP, and SSH1. It features both a graphical interface
Which network-based attack is performed against targets that use NTLM authentication by responding to name resolution requests while impersonating authoritative sources on the network, and results in the target sending their username and NTLMv2 hash to the attacker when successful? A. DNS cache poisoning B. LLMNR/NBT-NS poisoning C. Pass the hash D. Downgrade attack
B. LLMNR/NBT-NS poisoning
Explanation:
The attack described here is LLMNR/NBT-NS poisoning. After a successful attack, a penetration tester or malicious agent can then leverage hashcat or John the Ripper to crack the NTLMv2 hash in order to discover the plaintext password, thus netting a valid authorization credential pair. The attacker could also use the hash in later pass-the-hash attacks.
Which Python-based tool, shown running in the following illustration, poisons LLMNR, NBT-NS, and MDNS services and compromises usernames and password hash values by acting as a rogue authentication server? A. Responder B. Ettercap C. BeEF D. Wireshark
A. Responder
Explanation:
The tool shown in the image is Responder, a Python-based tool that simplifies the process of poisoning name resolution services and compromising usernames and hash values by operating as a rogue name service
server. It is capable of responding to LLMNR, NBT-NS, and MDNS requests.
Per US-CERT, which class of attack occurs when “an attacker attempts to prevent legitimate users from accessing information or services”? The most common method is flooding; others include resource leak exposure and excessive allocation. A. Denial of service B. Replay attack C. SSL stripping D. ARP spoofing
A. Denial of service
Explanation:
A denial of service attack is defined by US-CERT as one in which an attacker attempts to prevent legitimate users from accessing information or services—that is, denying them service by the resource in question.
Which category of DoS attack attempts to crash a service outright, with its severity measured in requests per second (Rps): A. Protocol attacks B. Volume-based attacks C. Amplification attacks D. Application layer attacks
D. Application layer attacks
Explanation:
Application layer DoS attacks are those meant to crash a specific service entirely, and the severity or intensity of such an attack is measured in requests per second (Rps). An example of this would be uploading excessively large files repeatedly to a shared network storage device, filling up all available storage space and preventing legitimate users from leveraging the resource.
Consider the hping3 command string and output shown in the following illustration.
What is the net effect of the -c flag in this command string?
A. Designates the target IP as 10.1.2.2
B. Denotes that the command should send five (5) packets in total
C. Sends the attack through network device eth0 D. Sets the interval between outgoing packets to 250 milliseconds
B. Denotes that the command should send five (5) packets in total
Explanation:
Like in the ping command, the -c (count) flag should be followed by the number of packets to be sent.
Which command-line exclusive network protocol analysis tool allows for the capture of packet dumps to and from a given network interface or host, so they may be inspected to determine server responses or related network behavior? A. Wireshark B. Responder C. tcpdump D. hping3
C. tcpdump
Explanation:
tcpdump is a command-line exclusive tool that sniffs network traffic and can create packet dumps (PCAP files) to and from a given network interface or host.
Consider the Scapy output and packet structure shown next.
What is the purpose of the packet sent to the target system?
A. GET request for HTTP
B. SMB connection request
C. UDP probe
D. ICMP ping
D. ICMP ping
Explanation:
The packet segments proto=icmp and type=echo-reply are key indicators that this packet is an ICMP ping. Note that the load field will often contain clues as to the specific request being made, since this would be the location of the actual data being transferred; everything preceding it is standard TCP/IP overhead.
Spanning Tree Protocol (STP) optimizes switched (that is, Layer 2) networks by ensuring there are no switching loops, and the most effective attacks against it are DoS attacks. Which of the following answers best describes a method for an attacker to specifically target STP and the networks it protects?
A. Forcing an IP conflict by statically assigning another compromised box the same IP as the network gateway in an attempt to trigger a race condition in device ARP caches and poison future packet routing
B.Spoofing the MAC ID of another system in the network, causing a MAC ID collision and triggering a MAC flap
C. By abusing the lack of an authentication process for STP and crafting malicious Bridge Protocol Data Units (BPDUs), selecting a nonexistent switch as the root bridge, and triggering repeated BPDUs from other hosts on the network until a broadcast storm is achieved and the network becomes unresponsive
D. Sending an ICMP flood against a switch in the network, consuming its resources until it is unable to perform legitimate network functions reliably
C. By abusing the lack of an authentication process for STP and crafting malicious Bridge Protocol Data Units (BPDUs), selecting a nonexistent switch as the root bridge, and triggering repeated BPDUs from other hosts on the network until a broadcast storm is achieved and the network becomes unresponsive
Explanation:
By repeatedly triggering an election broadcast for a new (and nonexistent) root bridge, an attacker can force a broadcast storm to take place on a local link network, effectively leaving the network nonresponsive.
Which VLAN-hopping technique prepends an otherwise unauthorized VLAN tag to traffic originating from the default VLAN? This traffic is then forwarded to the intended target by the next switch, as if it originated from that unauthorized VLAN, effectively bypassing Layer 3 access control schemes. A. Double tagging B. Switch spoofing C. SSL flooding D.Amplification
A. Double tagging
Explanation:
Double tagging is the VLAN-hopping technique that abuses default VLAN assignments by prepending a tag for an otherwise unauthorized second VLAN to traffic intended for targets in that second VLAN. Use of this technique requires that systems in a network have a default VLAN assignment. Defenders and blue teams can mitigate the potential for this VLAN-hopping method by ensuring that default VLAN assignments are disabled in their networks. From a defender’s perspective, this method of VLAN hopping can be defeated by ensuring that no hosts are assigned to VLAN 1 (the default VLAN), by changing the native VLAN on trunk ports to an otherwise unused VLAN ID or by explicitly tagging the native VLAN on all trunk ports.
Which of the following is not a method of bypassing Network Access Control (NAC)?
A. Exploitation of weaknesses in the network control implementation
B. Posing as a representative of a company’s IT department and convincing the COO to provide his VPN credentials over the phone
C. Exploitation of weaknesses in network configuration
D. Violation of existing trust relationships
B. Posing as a representative of a company’s IT department and convincing the COO to provide his VPN credentials over the phone
Explanation:
Calling a high-value target at an organization under the pretext of being a member of his IT staff can be an effective way to obtain network credentials if the odds are in your favor (how gullible is the target? How much training have they received on phishing techniques? Is there precedent for technical staff to simply ask employees for credentials?), but this is an example of social engineering to obtain credentials rather than a means of bypassing Network Access Control. Take note that the use of these credentials would be an example of a method of bypassing network controls, as would be convincing the target to run a malicious script or program you provide; this is because it would abuse an existing trust relationship (in that the COO’s username and password are valid and assumed to be used by the COO exclusively).
SNMP is an industry-standard network monitoring protocol that allows users to collect and alter information about various devices over a network. Which of the following are features of SNMP or its versions of implementation that can be leveraged to exploit the protocol? (Choose two.)
A. An attacker only requires the public community string for write-access in SNMPv3.
B. Trap notifications can be forged, allowing attackers to intercept SetRequests intended to fix the supposed fault.
C. Authentication for SNMPv1 and v2 only requires access to the community string in use, which is sent in clear text between the manager and its agents.
D. System default community strings (usually “public” for read-only access, and “private” for write access).
C. Authentication for SNMPv1 and v2 only requires access to the community string in use, which is sent in clear text between the manager and its agents.
D. System default community strings (usually “public” for read-only access, and “private” for write access).
Explanation:
SNMP versions 1 and 2 only require the community strings for access (which are sent in cleartext and therefore are vulnerable to network sniffing), and SNMP configurations often have default community strings (such as “public/private”) that can be abused by an attacker.
Which of the following would allow a penetration tester to execute arbitrary commands against a Windows target with either an open SMB share or a closed SMB share when providing authorized credentials? A. The nmap script smb-enum-shares.nse B. enum4linux.pl C. The psexec module found in Metasploit (exploit/windows/smb/psxec), Windows Sysinternals, or Core Security’s impacket suite D. onesixtyone
C. The psexec module found in Metasploit (exploit/windows/smb/psxec), Windows Sysinternals, or Core Security’s impacket suite
Explanation:
The psexec function in Metasploit, Windows Sysinternals, and Core Security’s impacket suite enables users to remotely execute commands on a target Windows system for which they have valid authorization credentials.