Questions Flashcards
“You notice an unusual spike in TCP and UDP flows from a single internal source to multiple destinations. Describe in detail the steps you would
take to determine the type of traffic that this represents.”
“Find out the IP address and check the DHCP logs to see if this is a company or rogue machine.
Run a packet sniffer like wireshark.
Check FW logs for type of traffic generated.
Check the IDS logs for any malicious or recon signatures it is detecting.
”
“A user reports that although he was logged into a web application at the time, he did not conduct the transaction that the web application purports.
We know conclusively that the login has not been shared. What are some possible causes and what you do to investigate them?”
Number 5: Man in the middle attack, keystroke logger, malware.
for a small lan which class of addressing is used?
Class C
How does traceroute work? Now how does traceroute make sure that the packet follows the same path that a previous (with ttl - 1) probe packet went in?
What are the different Levels of Auditing
“Statement Auditing,
Privilege Auditing
Object Auditing.”
What are the roles and user accounts created automatically with the database?
“DBA - role Contains all database system privileges.
SYS user account - The DBA role will be assigned to this account. All of the base tables and views for the database’s dictionary are store in this schema and are manipulated only by ORACLE.
SYSTEM user account - It has all the system privileges for the database and additional tables and views that display administrative information and internal tables and views used by oracle tools are created using this username.”
What is difference between ARP & RARP
How both of these protocols will work, and where it will use
“ARP -Meaning of ARP ? ““Address Resolution Protocol””, is used to map ip Network addresses to the hardware (Media Access Control sub layer) addresses used by the data link protocol. The ARP protocol operates between the network layer and the data link layer in the Open System Interconnection (osi) model.
RARP-RARP (Reverse Address Resolution Protocol) is a protocol by which a physical machine in a local area network can request to learn its IP address from a gateway server’s Address Resolution Protocol (ARP) table or cache.
A network administrator creates a table in a local area network’s gateway router that maps the physical machine (or Media Access Control - MAC address) addresses to corresponding Internet Protocol addresses.
When a new machine is set up, its RARP client program requests from the RARP server on the router to be sent its IP address. Assuming that an entry has been set up in the router table, the RARP server will return the IP address to the machine which can store it for future use. RARP is available for Ethernet, Fiber Distributed-Data Interface, and token ring LANs.”
What is meant by port blocking within LAN ?
Restricting the users from accessing a set of services within the local area network
You are presented with a list of known bad DNS names but are not allowed to monitor traffic with network sniffers. You are asked to indicate what names are in use on your network without using a network sniffer. Describe, in detail the steps you would take.
nslookup or ping
You have observed TCP connections to an IP address. The HTTP connections return a file named a.txt but when you try to retrieve the file with your browser you receive a 404 error code. You do not know the DNS name associated with the IP address (there is no reverse map). Describe the steps you would take to retrieve a.txt. Provide a plausible explanation why another machine on your network is retrieving a.txt but you are not able to do the same.
Run nbtstat -a to retrieve the host name and also name of user. Or run ping -a.
You receive a report that an attacker from the external Internet has connected inbound via port 443 to remotely control a host on your internal network but you know the firewall blocks inbound connections. Do your best to explain possible reasons for activity.
a trojan application on a Windows PC has ‘phoned home’. A connection intiated inside the firewall is considered an outbound connection.
