SEC CONCEPTS

Question 1

________ exist to connect devices on a network by using packet switching to receive and forward data to the destination device.

When exploited, ________ are able to be manipulated and configured in a way that allows for network packet sniffing

Answer 1

Switches

Question 2

is an open-source collection of tools for network auditing and penetration testing (hacking into a network), and is one of many tools that can be used to sniff network traffic and passwords.

Answer 2

Dsniff

Question 3

is a utility within the Dsniff collection, that is capable of conducting an attack known as Mac Flooding

Answer 3

Macof

Question 4

is an attack that attempts to overload a switch by sending the targeted switch network traffic with different source MAC addresses.

Answer 4

MAC flooding

Question 5

When the target switch receives a new frame with an unknown MAC, the switch will add it into its?

Answer 5

MAC Address Table (MAT)

Question 6

If the switch receives thousands of theses new MAC addresses, ______________________________________________________________. The switch no longer is able to keep track of where these devices are and will then begin sending traffic to every interface that is on the switch, reducing the switch to a hub.

Answer 6

eventually the MAT will become filled and will not be able to add any more additional devices, and then can not start directing individual frames anymore

Question 7

This enables an attacker to utilize a packet analyzer to easily capture packets and see anything on the network. During a MAC Attack can also shut down entirely, this is known as fail-open repeating mode and is a type of Denial-of-Service.

Answer 7

Mac Flooding

Question 8

is a type of exploit at the switch that consists of compromising the ARP table by manipulating the MAC addresses so that IP addresses will point to another machine.

Answer 8

ARP Poisoning (aka ARP Spoofing)

Question 9

ARP Poisoning (aka ARP Spoofing) is considered to be a type of ___________ attack where the ARP cache is poisoned and all packets are sent to the access point.

Answer 9

Man-In-The-Middle(MITM)

Question 10

(True or False) ARP Spoofing can be considered a Man-In-Middle Attack?

Answer 10

True

Question 11

What type of attack attempts to overload the MAT on a switch?

Answer 11

MAC Flood

Question 12

provides a great amount of detailed information about the target router and situational awareness surrounding the target router and its environment.

Answer 12

Router reconnaissance

Question 13

The scanning methods that are used to _________ routers, are the same methods that are used to enumerate any host target. IP addresses are scanned to identify available ports and services. Banner grabbing can also be used to identify the service version of ports that have been discovered

Answer 13

enumerate

Question 14

is an application layer protocol that runs on UDP and is utilized to manage network devices that run on the IP Layer (i.e. Routers)

Answer 14

SNMP or Simple Network Management Protocol

Question 15

SNMP passwords

Answer 15

• Read community strings are public and the device configuration of the device can be viewed with this password.
• Read/Write community strings are private. The device configuration is able to be modified with this password.

Question 16

____________ is a virtual hierarchical database that is used by SNMP to internal manage network objects. SNMP passwords can be used to view and/or modify network objects.

Answer 16

Management Information Database (MIB)

Question 17

____________ is an SNMP application that utilizes multiple GETNEXT requests, in order to search for and obtain SNMP data. It can be used as an enumeration tool gather to information that specifically pertains to routers. When port 161 (SNMP) is open and has a valid community string, router information is easily searchable

Answer 17

SNMPwalk

Question 18

Router and SNMP enumeration can lead to the following:

Answer 18

• Network resource information (Routers, devices, share drives, etc)
• ARP and routing tables
• Traffic Statistics
• Network addressing topologies
• Information about network owner and location of the routing device
• Identify potential targets on network
• Routing policies and rules
• Implemented Security levels

Question 19

What application can be used for router enumeration?

Answer 19

SNMPwalk

Question 20

(True or False) Port 161 can provide router information?

Answer 20

True

Question 21

____________ of the router are controlled by logging statements. These logging statements identify the IP address of the host that is storing the logs. Exploiting the host can also provide the attacker with the ability to enable log cleaning. This can be very beneficial when an attacker attempts to cover some of their tracks.

Answer 21

Remote Logging capabilities

Question 22

_____________ is an application that is a penetration testing tool, that is used to exploit and identify various devices based on a large number of known routers. Router Scan collects critical information on wireless networks (and WANS), like wireless network characteristics, encryption types, model of router, SSIDs and access point key passphrases

Answer 22

Router Scan

Question 23

Router Scan gathers information using two main methods

Answer 23

• Guessing a username/password pair to gain access to the router.
• Exploiting vulnerabilities that exist on specific router models, obtaining target information and possibly bypassing authorization procedures.

Question 24

is an open source exploitation framework designed to primarily detect and exploit router vulnerabilities.

Answer 24

RouterSploit

Question 25

Router Scan vs RouterSploit

Answer 25

• RouterSploit utilizes a CLI instead of a GUI, and requires goals to be manually set and does not all for a set subnet, all targeted routers must be individually specified.
• RouterSploit has more exploits than RouterScan and is more robust. It also supports the ability to brute force multiple network services.

Question 26

Exploiting a router can enable allow the attacker to cover their tracks by cleaning what?

Answer 26

logs

Question 27

What CLI based tool can be used for the purposes of router exploitation?

Answer 27

RouterSploit

Question 28

__________ is an information gathering method, where an attacker gathers pertinent information about a target router.
Router configuration files are often a prime target for information gathering operations.

Answer 28

Router Collection

Question 29

Cisco Routers utilize two main copies of configuration files

Answer 29

startup and running configurations

Question 30

___________ is a persistent copy of Cisco Router Configurations and is typically stored in the NVRAM; the contents are retained after reboot. The Startup configuration is also the configuration that is ran when the device is booted up

Answer 30

Startup configuration file or “Startup config”

Question 31

_____________________ are where the router stores configuration changes while the router is running. The run config file is NOT persistent, this means that changes that are made to the run config file, while the router is running, are NOT retained after reboot. The run config file can be saved to either NVRAM or a TFTP (Trivial File Transfer Protocol) server if a TFTP server exists on the network.

Answer 31

Running Configuration Files or “Running config”

Question 32

Are Startup Configuration files considered to be persistent or non-persistent?

Answer 32

Persistent

Question 33

(True or False) Router configuration files are prime targets when conducting router collection?

Answer 33

True

Question 34

The main goal of any firewall is to prevent uninitiated traffic from entering the network. Because firewalls protect the network by filtering or limiting the traffic between trusted and untrusted networks _______________ is an important aspect of the attack plan when planning to attack any target network

Answer 34

firewall enumeration

Question 35

can be used to identify and confirm that a firewall is on the network, while port scanning and banner grabbing can identify vendor specific information

Answer 35

A simple traceroute

Question 36

Traceroutes are often employed as a means to identify firewalls and other packet filtering devices on a target network, as well as the hosts that it protects, which sit behind it. When _________are present when the results of a traceroute are returned, it may likely represent a firewall, packet filtering device or may be severe network latency.

Answer 36

asterisks(*)

Question 37

is an active reconnaissance process, utilizing the Firewalk tool,

Answer 37

Fire walking (the using)

Question 38

A tool, which allows an attacker to gain a better understanding as to what protocols a firewall will allow.

Answer 38

Firewalk

Question 39

• This method will determine the movement of a packet from a untrusted source and to a protected host through the firewall.
• There are two main uses for fire walking, identifying and enumerating hosts that live within the protected network, and identifying ports that are accessible through the firewall.

Answer 39

Firewalk

Question 40

The _________ tool conducts the process of fire walking by using a technique based off of a traceroute and TTL values. The Fire Walk tool will send out TCP or UDP packets that have one hop greater than that of the gateway.

Answer 40

Firewalk

Question 41

Firewalk: If the gateway allows the packet the traffic to pass it will then forward to the next hop, where it then expires and presents a _____________ error message

Answer 41

ICMP_TIME_EXCEEDED

Question 42

___________ will raise the hop counts in an attempt to obtain the right IP TTL that will allow a packet to expire one hop behind the gateway. Once this process is completed and Fire Walk correctly identifies the hop of the gateway it will then start scanning

Answer 42

Fire Walk

Question 43

What tool uses a technique that is similar to traceroutes, in order to identify hosts that sit beyond a firewall?

Answer 43

fire walk

Question 44

(True or False) The ping scan (-sP) to return filtered ports?

Answer 44

false

TCP SYN Stealth Scan(-sS) or a TCP Connect Scan(-sT) will do this