SANS 503

Question 1

What port would you see in a tcpdump capture indicating the machine was
running CIFS?

Answer 1

445

Question 2

What is NBT?

Answer 2

NETBIOS over TCP

Question 3

How do NetBIOS hosts discover other NetBIOS hosts when no domain is present?

Answer 3

Sending broadcasts over the network

Question 4

What is the SMB/CIFS protocol used for?

Answer 4

Access shared resources

Question 5

How will a Windows client resolve a NetBIOS name when no central naming
service is used?

Answer 5

Broadcast a NetBIOS name query using UDP port 137.

Question 6

MSRPC over SMB Session Setup

Answer 6

Negotiate Protocol Request
Negotiate Protocol Response
Session Setup Request
Session Setup Response
Tree Connect Request
Tree Connect Response
Bind request
Bind response
LsarOpenPolicy request
LsarOpenPolicy response
LsarQueryInformationPolicy request
LsarQueryInformationPolicy response

Question 7

MSRPC over TCP (DCOM)

Answer 7

Connect EPM request   (Port 135)
EPM response
Connect high port from response
DCERPC bind request
DCERPC bind response
DRSUAPI DSbind request
DRSUAPI DSbind response

Question 8

MSRPC Interfaces Request

Answer 8

lsarpc - local security authority
samr - comm with security account mgr
netlogon - SAM authentication n replication
drsuapi - AD replication
dssetup - Dir Svc Setup in AD
eventlog - access window event log
pnp - plug and play
srvsvc - manage lanmanserver service
svcctrl - manage windows service control mgr
winreg - windows registry access
wkssvc - lanman workstation service

Question 9

When utilizing SMB/CIFS, what mechanism is used to provide access to a
requested share?

Answer 9

tree connect

Question 10

DNS zones

Answer 10

.com
.net
.com
.org
.mil
.jp
.edu

Question 11

Number of Names “root” servers

Answer 11

13 - actually are more doing any casting to load balance geographically

Question 12

Reverse DNS Domain

Answer 12

in-addr.arpa

Question 13

In TCPdump DNS reply three fields are give (ie. 0/3/4) what do these mean

Answer 13

0 Answers
3 Authority Records
4 Additional Records

Question 14

In TCPdump DNS server reply if + (plus) sign after DNS ID

Answer 14

Means recursion is desired. It means if DNS server doesn’t know answer then go find it for me

Question 15

In TCPdump DNS server reply if * (asterisck) mean –>

Answer 15

Means that is the authoritative server for that zone

Question 16

Max value TTL for DNS record cache

Answer 16

32 bit field = 2^32 or ~4.3 billion seconds

Question 17

Max TTL for IP

Answer 17

255

Question 18

nslookup zone xfer

Answer 18

nslookup

Ls -d (list all data)

Question 19

Largest reply of DNS by UDP by default

Answer 19

512 bytes

Question 20

In TCPdump DNS server reply if | (pipe) after DNS ID

Answer 20

truncated bit set; this tells the client to that 512 was exceeded so client should use TCP to get full set of info

Question 21

EDNS extends DNS reply size to

Answer 21

4000 bytes

Question 22

DNSSEC does what

Answer 22

1) Ensure integrity and authenticity of DNS record
2) Use public key for digital signing
3) Adds new DNS records

Question 23

Current Problem with DNSSEC

Answer 23

Poor hash alg has collision

Question 24

IPv6 new resource record type

Answer 24

AAAA (quad-A) for longer address

Question 25

IPv6 reverse DNS top level domain

Answer 25

ip6.arpa

Question 26

Version of DNS that supports IPv6

Answer 26

Bind 9, windows server 2003

Question 27

nslookup search name server for target

Answer 27

set type=ns

Question 28

nslookup search Source of Authority

Answer 28

set type=soa

Question 29

fast flux

Answer 29

bot net of multiple hosts change get rotated in DNS A records so that IP for same URL are actually different IP/Host

Question 30

DNS Cache poisoning

Answer 30

Change DNS to point to malicious host. www.amazon.com goes to compromised server.

Question 31

Prevent Old Cache Poinsoning

Answer 31

Bailiwick checking - domains in query and additional resource records have to match

Question 32

Snort Rules - Action: Alert

Answer 32

Create entry in alerts file | Logs packet header info as well

Question 33

Snort Rules - Action: Log

Answer 33

Log entry | No Alerts logged to alert file

Question 34

Snort Rules - Action: Pass

Answer 34

Drop packet and do nothing else

Question 35

Snort Rules - Action: drop

Answer 35

Inline only option; blocks and logs traffic

Question 36

Snort Rules - Action: sdrop

Answer 36

Inline only option; drops without logging

Question 37

Snort Rules - Action: reject

Answer 37

Inline only option: blocks, logs and attempts to terminate TCP or UDP session

Question 38

Which DNS record is a required DNS resource record for any DNS server to indicate the zone for which it is authoritative?

Answer 38

Start of Authority

Question 39

What special level domain suffix is reserved for resolution of IP numbers to hostnames at the top level?

Answer 39

arpa

Question 40

What does the '*' indicate in the following packet capture? dns. server.53 > host.1763: 1* 1/3/4 A 66. 35.45.201 (192)

Answer 40

It means dns.server IS the authoritative server for this zone

Question 41

Who sets the time to live value for cached DNS records?

Answer 41

client resolver -- maybe! Check in book

Question 42

How can malicious attackers be prevented from performing a zone transfer from your DNS servers? A. Block inbound UDP port 53. B. Block inbound TCP port 53. C. Restrict the IP addresses that are allowed to perform zone transfers. D. Remove all slave DNS servers.

Answer 42

B and C

Question 43

What does the DNSSEC resource record of RRKEY contains what?

Answer 43

Public key for DNS zone

Question 44

Based off of the following packet capture, what does the 4 indicate in '1/3/4'? 11:47:57.042470 IP 192.168.14.5.53 > 172.16.7.6.50702: 47543 1/3/4 A 10.1.1.5 (152)

Answer 44

4 additional records were returned.

Question 45

What is a set of domain names for which DNS is the authoritative nameserver?

Answer 45

Zone Maps

Question 46

What are zone maps

Answer 46

The set of domain names for which DNS is the authoritative nameserver

Question 47

What type of call is made from the client resolver when a reverse lookup is made?

Answer 47

gethostbyaddr

Question 48

Who maintains the zone maps?

Answer 48

Master Server

Question 49

How are DNS records stored in IPv6 compared to IPv4?

Answer 49

A quad A (AAAA) record stores Ipv6 address, and an A record stores IPv4 addresses.

Question 50

What value does DNS use in order to determine how long a cached record stays on a DNS server?

Answer 50

Time To Live

Question 51

When is TCP used for DNS transactions? Choose the BEST answer. A. For zone transfers. B. After a UDP response is truncated. C. When the DNS payload is less than 500 bytes.

Answer 51

A and B

Question 52

How are DNS records stored in IPv6 compared to IPv4?

Answer 52

A quad A (AAAA) record stores Ipv6 address, and an A record stores IPv4 addresses.

Question 53

What does the '+' indicate in the following packet capture? 06:19:16.427260 IP (tos 0x0, ttl 64, id 18411, offset 0, flags [none], proto UDP (17), length 61) 10.0.0.6.50846 > 10.0.0.1.53: [udp sum ok] 33620+ A? sans.org. (33)

Answer 53

Recursion Request or Recursion is desired

Question 54

Based off of the following packet capture, what does the 3 indicate in '1/3/4'? 11:47:57.042470 IP 192.168.14.5.53 > 172.16.7.6.50702: 47543 1/3/4 A 10.1.1.5 (152)

Answer 54

3 authoritative records were found.

Question 55

Slave server gets zones maps from

Answer 55

From Master via zone xfer

Question 56

what does | in tcpdump mean

Answer 56

truncated bit set.

Question 57

DNSSEC RRSIG record contains what

Answer 57

signature for resource record set

Question 58

IPv6 Features

Answer 58

``` Autoconfiguration Anycast Address Mandatory Multicast Address IPSec included via extension headers Mobile IP Jumbo Payloads ```

Question 59

What is Teredo

Answer 59

Tunnels IPv6 between IPv6 hosts using UDP packets. Microsoft way of using IPv6

Question 60

What is GRE

Answer 60

Generic Route Encapsulation: IPv6 over IPv4