Sniffing and Evasion Flashcards

1
Q

From a legal standpoint, sniffing is equivalent to:

A

Wiretapping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

MAC address

A

Physical or burned in address of a network interface. 48 bits long, 12 hex characters separated by colons

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

MAC address format

A

First 3 bytes are the organization unique identifier or NIC manufacturer code. The last 3 bytes are unique within the manufacture code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

NIC must run in this mode to sniff all frames

A

Promiscuous mode. Driver like WINPCAP for Windows systems is required and libpcap for Linux systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Collision Domain

A

All the devices sharing any given transport medium.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Why switches can restrict sniffing

A

Switches restrict visibility of network conversations by splitting each port into its own collision domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Hardware Protocol Analyzers

A

Fluke, RADCOM, Keysight

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which protocol passes everything in clear text?

A

TFTP as well as SNMP and NTP prior to V3, also IMAP and POP3, HTTP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Address Resolution Protocol (ARP)

A

Maps IP addresses to MAC addresses by sending an ARP_REQUEST. The relevant system will respond with an APR_REPLY and provide its MAC address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Display current ARP cache

A

ARP -a

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Delete entries from the ARP cache

A

ARP -d * or NETSH interface ip delete arpcache

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Technique of spoofing a MAC address

A

Sending a gratuitous ARP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Unicast

A

A packet addressed to a single device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Multicast

A

A packet addressed to a group of devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Anycast

A

A packet addressed to a group, but the nearest device in terms of routing distance opening it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

IPV6 Link Local address

A

FE80 - equivalent to APIPA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

IPV6 Unique Local address

A

fc00::/7: Equivalent to private IPV4 addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

IPV6 Global addresses

A

Equivalent to public IPV4 addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Lawful Interception

A

Process of legally intercepting communications between two or more users for surveillance of telecommunications, VOIP and multiservice networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Planning Tool for Resource Integration (PRISM)

A

US data tool for collecting foreign intelligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Passive sniffing

A

Plugging in a sniffer and capturing what is seen but limited to a collision domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Active sniffing

A

Packet injection, port spanning also known as port mirroring to open up other collision domains. Some routers only allow a port to be mirrored for read and not for transmit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

MAC flooding

A

Force a switch’s content addressable memory (CAM) table to fill up after which subsequent traffic will be flooded to all ports. Also known as switch port stealing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

ARP poisoning

A

Also known as ARP spoofing and gratuitous ARP. Process of maliciously changing an ARP cache on a machine to inject faulty entries,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Arp flooding tools

A

Cain and Abel,
WinArpAttacker,
Ufasoft,
Dsniff (Arpspoof)

26
Q

DHCP Starvation

A

Exhaust all leased out addresses on a DHCP server. Form of Denial of Service. Tools: yersinia, dhcpstarv Configure DHCP snooping on the DHCP server to mitigate this attack. DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.

27
Q

Rogue DHCP server attack

A

An attacker sets up his own DHCP server and hands out IP addresses and options to control communications.

28
Q

MAC address spoofing

A

Some OS/drivers allow you to change it on the NIC, You can also use a tool like SMAC

29
Q

Switch Port Security

A

Manually assign a MAC address to a port. Network admins can also restrict the number of MAC addresses associated with a port. If more, the port switch will amber out.

30
Q

ICMP Router Discover Protocol (IRDP) spoofing

A

A hacker sends spoofed IRDP packets to change the gateway.

31
Q

Wireshark filters

A

!protocol - filter out the protocol
http.request - displays all HTTP GET
tcp contains string - shows all TCP packets with that string
ip.addr= =ip address && tcp.port= = port
ip.addr= =ip address or ip.addr= = ip address

32
Q

Wireshark TCP Filters

A
tcp.flags= =0xn where n:
1 = FIN
2 = SYN
4 = RST
8 = PSH
16 =ACK
32 = URG
33
Q

Put tcpdump in listening mode

A

tcpdump -i eth0

34
Q

Tool that can be used to analyze packet captures from tcpdump, WindDump,Wireshark and Etherpeek

A

tcptrace

35
Q

Intrusion Detection System (IDS)

A

Hardware and or software devices that examine streams of packets for unusual or malicious behavior sometimes via signature list and sometimes via anomaly (learned behavior) list. A signature based IDS is only as good as the signature list. An anomaly based IDS can produce false positives. Snort is an IDS

36
Q

Libwhisker

A

A Perl library used for HTTP-related functions including vulnerability scanning and IDS evasion. Used by NIKTO

37
Q

False Negative - from an IDS perspective

A

Occurs when an IDS reports an intrusion as fine. Worse than a false positive,

38
Q

Host based IDS (HIDS)

A

Resides on a host and not on the network. HIDS are often signature based, HIDS examples:
Tripwire,
Cybersafe,
Norton Internet Security

39
Q

Host Based Security System (HBSS)

A

The Host Based Security System (HBSS) is the official name given to the United States Department of Defense (DOD) commercial-off-the-shelf (COTS) suite of software applications used within the DOD to monitor, detect, and defend the DOD computer networks and systems. The Enterprise-wide Information Assurance and computer Network Defense Solutions Steering Group (ESSG) sponsored the acquisition of the HBSS System for use within the DOD Enterprise Network. HBSS is deployed on both the Non-Classified Internet Protocol Routed Network (NIPRNet) and Secret Internet Protocol Routed Network (SIPRNet) networks, with priority given to installing it on the NIPRNet. HBSS is based on McAfee, Inc’s ePolicy Orchestrator (ePO) and other McAfee point product security applications such as Host Intrusion Prevention System (HIPS).

40
Q

Network Intrusion Detection System (NIDS)

A

NIDS sit on the network perimeter and watch traffic coming into and leaving the network.

41
Q

SNORT

A

Open source IDS, powerful sniffer, traffic logging, and protocol analyzing tool that can detect buffer overflows, port scans, operating system fingerprinting. Rule sets (signatures) are updated often. Snort can run in three different modes: Sniffer Mode, Packet Logger Mode and IDS Mode.

42
Q

IDS will have difficulty detecting malicious activity if:

A

The traffic is encrypted or obfuscated by decoys,

43
Q

Network Tap

A

A connection that lets you see all traffic going by it. Place it in the correct location and make sure it is rated for the expected throughput.

44
Q

Snort Configuration file - snort.conf

A

Resides in /etc/snort on Linux and c:\snort\etc on Windows and contains a list of rule sets to engage at startup.

45
Q

Snort HOME_NET

A

Variable that defines the local network

46
Q

Snort Rule

A

Single line in the configuration file and contains an action, a protocol, the rule format direction which could be bidirectional, a source address/port, a destination address/port and message parameters. The Snort rule action can be Alert, Log,or Pass.

47
Q

Firewall

A

A device that is designed to protect internal resources from unauthorized external access. Firewalls work with both explicit and implicit rules. Also, rule location matters as a match on a rule may end the rule processing.

48
Q

Packet filtering firewalls

A

Examine the header to make a forward or drop decision

49
Q

Stateful inspection firewalls

A

Tracks the entire status of a connection. Also known as stateful multilayer inspection. From the Network to the Application layer.

50
Q

Circuit level firewall

A

Works at the session layer

51
Q

Application level firewall

A

Works as an application proxy

52
Q

HTTP tunneling

A

A firewall evasion technique used by hackers to tunnel their traffic over port 80.

53
Q

HTTP beacons

A

Communicating with Command and Control using http

54
Q

IDS Evasion Techniques

A

Go slow, deploy decoys and fake attacks to flood, use fragmentation, use Unicode characters

55
Q

IDS Evasion Tools

A
Nessus, 
ADMmutate, 
NIDSbench (fragmentation), 
Inundator (flooding tool), 
IDS Informer (can use captured traffic to craft an IDS evasion). 
Packet Generator and 
PackETH.
56
Q

Firewall Discovery and Evasion

A

ICMP Type 3, Code 13 shows traffic is being filtered by a firewall
ICMP Type 3, Code 3 - the client has a port closed
Firewall Informer can discover the location of firewalls.

57
Q

Firewalking

A
Determine which ports are open on a firewall. 
NMAP, 
Firewalk, 
CovertTCP, 
ICMP Shell, 
007 Shell
58
Q

Honeypot

A

A system set up as a decoy to entice attackers. Needs to be walled off from other systems.

59
Q

High Interaction Honeypot

A

Simulates all services and applications designed to be completely compromised. Symantec, Decoy Server, and Honeynets

60
Q

Low Interaction Honeypot

A

Simulates a limited number of services and will not be completely compromised by design.
Specter,
Honeyd and
KFSensor

61
Q

DHCP Packets

A

DHCPDISCOVER,
DHCPOFFER,
DHCPREQUEST,
DHCPACK