Professor Mike Meyers Flashcards

Question 1

Q

What is the PDU called the transport layer?

Answer

A

TCP PDU is called TCP segment
UDP PDU is called UDP datagram

Question 2

Q

Is ICMP just one packet?

Answer

A

No, it is not just one packet. There is a type field in the packet that will define what this particular ICMP packet is for?

For example this type field might mean host not found.

Question 3

Q

Define main fields of IGMP?

Answer

A

It has following ->

Source address + Group address + checksum + type

Question 4

Q

Define IGMP?

Answer

A

So when a sever hosting some live video for example and it needs to go to a large number of recipients, it can use a Multicast address. So it will assign a Multicast address to hosts or routers that comes in the way of hosts that want to listen to this live video, a multicast address. This way it can just send a one stream of data instead of sending multiple streams to cover all recipients.

Question 5

Q

What is traceroute and what is its windows equivalent?

Answer

A

It is a troubleshooting protocol that tell us the hop by hop patch to reach a remote host from the local host.
Windows equivalent is tracert

In some case if traceroute does not work as it is not allowed by some routers, we can use “ pathping “ command as it uses a different protocol.

When the things are running great, use the traceroute command so that you can get familiar with it.

Question 6

Q

What is one of the things that you should check if you are not getting right speed from ISP?

Answer

A

Look for cheap routers

Question 7

Q

Learn wireshark

Question 8

Q

Name of the packet capturing tool that we can use in linux from command prompt?

Answer

A

tcpdump - it will start capturing the frames and we can save these into some file and then use some analyzer like wireshark to analyze the frames.

Question 9

Q

What is netstat command used for?

Answer

A

It is a command that we can use to list all the open ports and connections on our system.
It has no of different options.

Question 10

Q

Define some popular netstat options.

Answer

A

netstat -n This will give us the raw numbers like destination IP addresses instead of names.

netstat -b It will tell us the executable as well linked to a connection

netstat -o It will give us the process ID as well that we can use to find the associated applications in Task manager

netstat -nbo

netstat -a It shows all the active ports

Question 11

Q

What is netstat -r used for?

Answer

A

We can also use this to see the routing table in windows

Question 12

Q

If we need to check if some device is running a web server, how do we check that?

Answer

A

We use

netstat -a command and see if it is listening on port 80 or 443

Question 13

Q

What are the 2 common kind of web servers out there in the world?

Answer

A

One are Microsoft servers - Microsoft IIS ( internet information service )

Another is Apache ( open source )

Question 14

Q

What does FTP server listens on?

Answer

A

It listens on port no 21
And send the data back to clients on port 20

Question 15

Q

If we want people to connect to our FTP SRVER to download some files, without requiring to enter any USER NAME / PASSWORD, what kind of account do we need to create on FTP SERVER?

Answer

A

We can create ANONYMOUS account with no password

Question 16

Q

Can Inter Explorer acts as a FTP server and how?

Answer

A

Yes, we can type

ftp://202.13.212.104

Question 17

Q

Does windows have in-built ftp client?

Answer

A

We can use command prompt as ftp client.

Just type -> ftp serverName/ip address

Once connected, we can use GET command for file downloads and PUT command for file uploads.

Question 18

Q

What are the different modes that AP can work in?

Answer

A

Repeater - it will just repeat the signal from the AP. Normally these repeaters have 2 set of transmitters and receivers. One set of transmitter and receiver is used to get the signal from AP and the other one is used to retransmit the signal. So this way there is no interference.
Workgroup bridge - in this mode, it can act as wireless NIC for a wired client that does not have wireless capability. So WGB will work on the same frequency as the AP.
Outdoor bridge - this used to connect 2 or more different buildings or cities that are apart by a large distance.
Mesh network - it can also work in a Mesh topology.

Question 19

Q

Give an example of Cloud-based AP Architecture?

Answer

A

Cisco Meraki is a cloud based and offers centralized management of wireless, switched, and security networks built from Meraki products.

Question 20

Q

What is Split-Mac architecture terminology in ACCESS POINTS?

Answer

A

In split-mac, duties are divided between WLC (wireless controller) and the light weight APs.
Activities performed by AP is divided into 2 groups -> management functions and real time processes.

Question 21

Q

What are the management functions in Split -MAC AP architecture?

Answer

A

RF management, authentication, security management, QOS, Association and roaming management

Question 22

Q

What are the real time functions in AP?

Answer

A

RF transmit/receive
MAC management,
Encryption

Question 23

Q

How the WLC and AP talk to each other?

Answer

A

Using CAPWAP - Control and provisioning of wireless access point

Question 24

Q

What are the 2 kind of messages that travel in CAPWAP tunnels?

Answer

A

CAPWAP control messages - these are the messages that travel between LWAP and WLC for controlling light weight APs. These messages are authenticated and encrypted so the AP is securely controlled by the appropriate WLC.
CAPWAP data - this is used for packets travelling to and from wireless clients that are associated with AP. Data packets are transported over the data tunnel but are not encrypted by default. When the data encryption is enabled for AP, packets are protected with the Datagram Transport Layer Security (DTLS)

Question 25

Q

In an enterprize WLAN, how is it ensured that no unauthorized AP connect to your network?

Answer

A

Every AP and WLC must also authenticate each other with digital certificates. An x.509 certificate is preinstalled in each device when it is purchased. By using certificates behind the scenes, every device is properly authenticated before becoming part of the wireless network. This process helps assure that one one add an an authorized AP to your network.

Question 26

Q

How can we use a browser as FTP server?

Answer

A

By default, they act as web browsers.

So we type ftp://202.13.212.104

Question 27

Q

Can our command prompt also act as file server?

Answer

A

Yes it can. We just type

ftp server_address

“get” command downloads the stuff and “ put” command uploads the stuff

Question 28

Q

What port number IMAP uses?

Answer

A

It uses port number 143

Question 29

Q

What protocol helps with encrypting emails and what port does it use?

Answer

A

The STARTTLS extension uses only one port (587) for encryption communication.

Question 30

Q

What was the traditional TLS terminology in securing email protocols?

Answer

A

So when the emails were secured for the first time, they used TSL in such a way in clients that first clients connected to email servers using olds ports like SMTP 25, IMAP 143 and then it switched to secure TLS encrypted session.
So attackers could monitor and see some data.

Then as a solution came the STARTTLS that encrypted the email data from the beginning. It used just one port number for all protocols (IMAP, pop, SMTP) which was 465.
And then STARTTLS start happening on port number 587

Question 31

Q

For network+ exam, there was rlogin client as well which ran on port 513

It has been replaced by SSH.

Question 32

Q

What are IPAM ( IP ADDRESS MANAGEMENT ) tools?

Answer

A

IPAM tool tracks and manage allotted IP addresses, keeping address requirement available for server and VM farms.

Question 33

Q

Define main 3 kinds of access controls.

Answer

A

MAC - Mandatory Access Control - in this one, the actual resource was labeled like too secret, and based on this label we had access to it or not. These is a oldy thing.

Then cane the this one -
DAC - Discretionary Access Control - in this one, resources were given tags like this one is owner of this file and this can only read file. Better than MAC

THEN ->

Role-Based Access Control - RBAC - in this one, permissions are given to groups like Sales, or accounting group (based on the role)

Question 34

Q

What does a RADIUS setup look like?

Answer

A

RADIUS - Remote authentication dial-in user service

RADIUS Supplicant——-R client——R server

RADIUS client cane be a wireless router but not the actual device that provides user name / password or some other means of authentication.

It’s not necessary for RADIUS server to have all the user name / password database. Fot example - in a enterprise environment, it can check the user name password with the database in ACTIVE DIRECTORY

It uses UDP Connection

Question 35

Q

What port number is used by TACACS+

Question 36

Q

What is the common use of Kerbros?

Answer

A

It provides authentication service in Local Area Networks.

Question 37

Q

Define kerberos.

Answer

A

Kerberos is setup in windows server who can act as a KDC - key distribution centre

KDC consists of 2 services - 1st is authentication service and 2nd is TGS (Ticket granting service)

Here is how it works -

A client sends a hash of user name and password to the KDC / Kerberos server and KDC authenticates it and sends back a TGT (Ticket granting Ticket). Then TGT is time stamped and sent back to the server for authorization.
Then a Token ( time stamped one) is sent back to the client and it kind of usually stays active of 8 hours.

Question 38

Q

Define EAP. Extensible authentication protocol.

Answer

A

It is a kind of authentication protocol in which server can ask client what kind of authentication client supports and then use that authentication.

Different authentication methods that it can negotiate from are following-
- EAP PSK ( pre shared key)
- PEAP (protected extensible authentication protocol) - uses user name and password
- EAP MD5 - uses hash
- EAP TLS - it can use certificates in which certificates come from the server side and passed down to clients.

Question 39

Q

Where EAP is mostly used?

Answer

A

It is used in wireless networks. Kerberos dominates over wired networking authentication.

Question 40

Q

What do we use for single sign on for local area networks?

Answer

A

Active directory

Question 41

Q

What SAML ( Security assertion Markup Language) is used for?

Answer

A

It is used to manage multiple apps using a single account.

SSOcircle provides a variety of service provider (SP) samples.

In SAML concept, there is Identity provider and the service provider.

Question 42

Q

Security Trust questions - when a public key is shared by some server, how do we know where it came from ( if it actually came from this server ) and if that is the entity who it claims to be?

Answer

A

We use signed certificates. Like x.509 certificate.

Question 43

Q

What is a digital signature in certificates?

Answer

A

It is nothing more than a hash. It is a mechanism by which we can verify that a public key came from the server that has the associated private key.

So how is it verified?
Let’s take an example of web server connection.

So the server will encrypt the website that we are visiting/ connected to, with its private key and make a hash of it and will send it to the host with its public key.
Host on the other end will also make a hash of the web page using the public key and then compare the hash it created with the hash shared by the web server. If it matches, then host knows that public key came from the server that has the associated private key.

Question 44

Q

Digital certificates - how do they verify that some public key came from the legit source?

Answer

A

Here comes the involvement of 3rd party CA who both parties trust.

So let’s say i am the server. I will get an singed certificate from CA who will vouch for me. So basically in this certificate ( when is a kind of envelope), i will have my own digital signature and the CA’s signature and my public key. Every time anyone connects to me, i will pass on this certificate to them.

This way i can let know hosts that i am a trustworthy site.

Question 45

Q

What are unsigned certificates?

Answer

A

When there is no 3rd party like CA, vouching for me.
They work fine internally in the local area network as no intruder has access to it.

Question 46

Q

What is PKI - public key infrastructure?

Answer

A

It is a hierarchy of certificate authorities that issues certificates.

Question 47

Q

What technologies in a browser do we take the help of to verify if some certificate is valid?

Answer

A

CRL and OCSP

Question 48

Q

Note - a Self Signed Certificate can throw a 443 error as the certificate has not been issued by a certificate authority.

Question 49

Q

In simplest form, what does a VPN do?

Answer

A

It will encapsulate private addressing ( LAN IP) within internet public IP. Kind of it creates a Tunnel.

Note - it may not be encrypted.

Question 50

Q

What does port bonding do?

Answer

A

It links switch-ports to increase bandwidth.
Uses LACP (Link Aggregation Control Protocol)

Question 51

Q

What is the port mirroring command on Cisco IOS?

Answer

A

Monitor session 1 source int fa24
monitor session 1 destination int fa23

Question 52

Q

What is the role of IPS, IDS and Firewall in respect to each other?

Answer

A

Firewall - filters traffic
IDS - monitors traffic and notifies
IPS - acts to stop

Question 53

Q

What is the role of forward proxies?

Answer

A

It connects on the client side and hides them. So clients are aware of the proxies.
It can act as a dedicated box or a software.
- provides caching
- provides content filtering
- acts as Firewall

Also note - proxies are application-specific. Depending on the type of application, there are different types of proxies.
- web proxy
- FTP proxy
- VoIP proxy

Question 54

Q

What is the concept of a TOR network/ proxy?

Answer

A

With TOR network concept, a client can hide themselves so that they are not trackable back to them.
So the client connection will go through bunch of computers in TOR network.

Question 55

Q

What is a reverse proxy server?

Answer

A

These proxies protects servers from evil people.
- provide security protection like protection from Denial of Service
- provides caching
- provides load balancing
- handles encryption/ decryption

Question 56

Q

What is the old fashion of doing load balancing?

Answer

A

It is done using DNS.

1st way is the Round Robin via DNS. Let’s say we have 3 server that needs to be load balanced. In their authoritative DNS SERVER, we will have 3 look up records to these 3 servers and as the the connection requests come in, this DNS server will give the address of the 1st server and then 2nd and so on.

2nd way is in which DNS uses reverse look up zones. By using reverse look up zone, DNS will find out which server is closest to it ( as the servers can be in different continents) and then provides its IP ADDRESS for connection.

Question 57

Q

What is server side load balancing?

Answer

A

These are physically present on the site. It can query the individual servers and can know which is not busy.
- can also provide encryption/ decryption yet

Question 58

Q

Define DMZ?

Answer

A

Demilitarized zone.
DMZs are used to protect public-facing servers by creating an isolated area for those devices.
2 firewalls are used in a DMZ : one allowing unsolicited traffic to the public service and the 2nd maintaining isolation of the private network.

Question 59

Q

To what types, DoS attacks can be broken down into?

Answer

A

Volumetric attacks - it can be a continuous PING flood.

Application attacks - one that are attacked at a particular application. For example - Slow Loris attack that happens in Apache server.

Protocol attacks - one that is for a particular protocol. For example- SYN flood / TCP SYN attack.

Question 60

Q

Give me an example of amplification attack

Answer

A

Smurf attack - in this one, attacker will spoof the Ip address of its target and will send a IP broadcast in the network so that it make the server to receive frames from all the nodes in that network.

Question 61

Q

What is a DDOS - distributed denial of service attack?

Answer

A

In this attack, a bunch of computers attack a single target.
The attacker loads some type of malware called botnet, into the other devices called Zombie devices, and make them contact the target machine in some way.

Question 62

Q

What is virus?

Answer

A

A virus is something that will get on to our computers from floppy drive or thumb drive and attach it to the OS files.
What does it do?
I will propagate to the connected devices and it will activate. ( for example, it might delete the OS FILES)

Question 63

Q

What is Adware?

Answer

A

It is a type of Malware which will pop up ads on some website.

Question 64

Q

What is spyware?

Answer

A

It is a type of malware.l which hides itself from the system and will phone home in some way.
It might be sending monitored data or might be sending cookies etc

Answer 61

A

It is a piece of software that will not propagate on its own.

For example- Remote access Trojans (RATs) -
It doesn’t do anything until someone from home connects to this Trojan malware and bad things start happening.

Answer 62

A

In its basic form, it encrypts someone’s data and will ask for ransom to decrypt it

Answer 63

A

It is kind of similar to Trojan in the way that it does not propagate and needs to be activated.
Though its not like it is remotely accessed and then activated.

It gets activated when some event take place. For example - when some account is deactivated.

Answer 64

A

Rootkit is a software that escalates privileges to execute other things on a computer.

For example- Sony rootkit

These are notorious to detect.

Backdoor -it is a piece of software that will let someone to intentionally access some software from some backdoor.

Answer 65

A

It can be armored virus, polymorphic ( it changes some of its code )
It can also be a keylogger to get passwords etc.

Answer 66

A

Stateless fireless - we just turn them on without much configuration.

Stateful- it will look at every packet and will decide whether it should let it go or not. It involves a lot of configuration.

Stateful firewall make a database of all active connections that are going between a client and the server. Some some packet is a part of active connection, firewall does not compare this packet with each ACLs. It just allows in the packet as it is a part of the active connection.

Answer 67

A

Ettercap - it can act as a spoofer. It can also grab the data from the network and provide us the information that we want.

Ettercap creates a lot of noise on the network that is easily detected by an good IDS / IPS.

We can do DHCP SPOOFING, ARP spoofing, DNS poisoning etc all from a single program.

Answer 68

A

Url highjaking or Typosquatting

Domain Highjacking -when someone forgets to renew their lease of public domain and someone else buys it.

Replay attacks -

Downgrade attack - in which encryption is lowered.

Session highjacking - it is quite difficult as it has to be done in real time. There is simple one as well - Firesheep

Answer 69

A

These are the ones who acts as a lot of things like firewall, proxy server, VPN endpoint, etc

Answer 70

A

It filters packets based on ports and IP Addresses. It does not look at the data deep enough.
So it does not track the state of conversations.

Answer 71

A

These are also known as context-and application- aware firewalls that filter traffic based on the content of the packets.

These does the deep packet inspection (DPI)

Answer 72

A

Creating user accounts, change the default ADMIN user name / password

Assigning right based on roles,

Update the firmware of devices like camera, switches

Stop the traffic on open ports that are not used

Shut down the physical ports that are not used.

Do the key / signature / certificate management on devices so we can do an back up of them

We can do the vulnerability assessment in which we have some level of access to the network

Going to next level, we can also ask someone to do the penetration testing

Answer 73

A

Deterrent,

Preventative,

Detective

Learn to identify what falls under all of these types and how to improve these physical controls.

Answer 74

A

We look for unwanted open ports.
Ports can be opened by a installed new software, firmware update on the router, or by mistake while doing some configuration on the managed devices.

Answer 75

A

These applications can look for vulnerabilities in our network. For example - it can look for the open ports in our network or it can also show us the services running on some particular server or can show us the network topology and can find us the devices that we didn’t know of.

Example - NESUS and NMAP ( it is free and i will play with this)

Answer 76

A

These are the applications that can mimic some server so they pretend to be some server for baiting for attackers so that we can monitor the attackers activity.
There are some free ones as well.

Answer 77

A

Look for blocked TCP / UDP ports

Answer 78

A

Authentication, encryption, MIC - Message integrity check

Answer 79

A

It can involve a number of authentication protocols to be used for authentication. While using it, one can use an authenticated protocol from a number of protocols.
EAP can integrate with this 802.1x standard.

It involves Supplicant, Authenticator, authentication server (AS)

Answer 80

A

LEAP - light weight extensible authentication protocol- NO LONGER USED
EAP - FAST (flexible authentication by secure Tunneling
PEAP - Protected Extensible Authentication protocol- in this one, AS ( authentication server) authenticates itself to the supplicant using a certificate. Once authenticated, a TLS TUNNEL is created between Supplicant and AS. And then client / supplicant is authenticated through the TLS TUNNEL.
For client authentication, it can either use MSCHAPv2 or GTC ( generic token card)
EAP - TLS

Answer 81

A

TKIP - Temporal key Integrity Protocol - no longer used
CCMP - it uses AES ENCRYPTION and one MIC. Used in WPA2
GCMP - uses AES. And for MIC - it uses Galois Message authentication code (GMAC) used as a message integrity check.
Used in WPA3

Answer 82

A

WPA - uses 802.1x authentication, TKIP
WPA2 - uses AES CCMP Algorithms
WPA3 - uses AES with GCMP

All WPAs support 2 client authentication modes : a pre-shared key or 802.1x based on the scale of deployment.
These are known as personal mode and enterprise mode

Answer 83

A

It is a Denial Of Service Attack. In this attack, a large number of Ping responses are sent to a victims address which results in Victim host being unresponsive, hanging

Answer 84

A

The attack happens like this -

The attacker will send a TCP message acting as a destination host to a target host.
While the target hosts response is on its way, the attacker will send a route redirect message spoofing a primary gateway, to the target host.
This way, the target host will change its gateway from primary to secondary that is under attackers control.
From this point on, attacker will be man-in-the-middle. All the traffic from target host will start travelling from the secondary host where attacker can see all the data

Answer 85

A

In DDOS, the attack on a particular host comes from different source hosts.

In DDOS, the attacker deploys Bots that are malicious programs, on different computers. Then the attacker will control them using Command And Control server.

Example of such attack is Denial of Service using DNS and NTP

Answer 86

A

One example of Permanent Denial Of service is PDoS - Phlashing Denial of Service.

In PDoS, the victim devices firmware is damaged / corrupted in such a way that device can’t be repaired. I will need to be replaced.

Answer 87

A

In Smurf attack, the attacked will spoof victims IP address and will send a broadcast ping in the network. Doing so causes the every host in the network to flood victim host with ICMP ping replies.

Answer 88

A

In SYN flood attack, the attacker will send multiple SYN request to an server which will cause the server to reserve some storage in its memory for the new connection until server memory is fully exhausted with these SYN requests. At this point, the server can’t take any more requests (even that are legitimate ones)

Answer 89

A

DoS attacks using DNS -> in this one, attacker deploys Bots and attacker make these bots to spoof the IP address of victim and send some small 8 byte DNS request to DNS servers. Doing so cause the DNS servers to flood large amount of information to the victim address

DoS attack using NTP -> in this one, the attacker spoofs the IP address of target and sends “monlist” command to NTP servers. Doing so cause the NTP servers to reply to target with information of last 600 hosts who have contacted the NTP server. It only occurred in old version of NTP servers

Answer 90

A

It is a kind of Man-In-The-Middle attack. In this one, ARP cache on the switch is poisoned and traffic starts travelling through the attacker device.

Answer 91

A

Protocol abuse is done on those applications that are used almost in every network. For example - DNS and ICMP

One example of DNS protocol abuse -

Let’s say that the attacker managed to get inside the network and has again admin rights as well. To maintain such access for the later time, attacker has 2 options First is he/she can install a backdoor on the victim device but most of the time outgoing or incoming traffic on an unknown port is block by the Firewalls so he/she can go for the 2nd option.

2nd option is that attacker can abuse DNS. So on the victim device, it will install a iodine application which will encapsulate the traffic that attacker want inside DNS packets and these DNS packets will be allowed to travel through the Firewall.

On the other end of this DNS-Iodine connection, the recipient will also have Iodine app installed which will de-encapsulate the traffic and will forward it to the attacker.

Answer 92

A

Spoofing is the process of faking some one’s address.
There is 3 kind of spoofing -

First is ARP spoofing
Email spoofing - in this one, the From field is changed to hide the sender email address
Referrer header spoofing - in this one, the attacker will spoof the Referral header of HTTP packet in a connection request to a server so that It will show such a referral header / page from which access to this server is allowed.

Answer 93

A

Sessions hijacking is the process in which attacker will taker over a session with a server once the client has authenticated to the server

There is 3 types of Session Hijacking -

Session fixation - in this one, the attacker will send a link to victim with session ID pre-set. So once the target establishes session with the server , the attacker takes over the session
Session sidejacking - in this one, the attacker will sniff the packets to get the session cookie or if the attacker has access to the client device, it can try to get the session cookies from its memory.
Cross Site scripting - In this one, the attacker will put a malware on the victim device with which it can run some code on the site to steal cookies. This happens after the client has authenticated to the server.

Answer 94

A

In VLAN hopping, the frames passing through a switch are double tagged with 802.1Q headers. It is done so that frame enters a VLAN that it is not part of.

Answer 95

A

Virus is a malware type that is activated with user action. For example- opening a infected executable file.

Brainscape's Knowledge GenomeTM

Professor Mike Meyers Flashcards

Brainscape's Knowledge Genome^TM