Sniffing and Evasion

Question 1

At what layer does Sniffing occur

Answer 1

Layer 2- Data link Layer

Question 2

WinPcap

Answer 2

Driver for windows machines that allows OS to extend to access low-level network access.

Question 3

Collision domain

Answer 3

Composed of all machines sharing the same transport medium. Hubs share the same domain switches split domains so that each system is in it’s own domain

Question 4

upper layer protocols suscepible to sniffing

Answer 4

SMTP (not so much v3), FTP(user name and passwd), TFTP (Everything in clear text), Telnet (keystokes, User name paswd), SNMPv1 (Passwd and data), NNTP (Passwd and data), IMAP, POP3, HTTP

Question 5

ARP

Answer 5

Address resolution Protocol. Layer 2 - Data Link Layer. Resolves ip to mac address. ARP_request asks what ip can process message? arp_reply states thats me my mac is

Question 6

gratuitous arp

Answer 6

Packet that updates the arp cache of other machimes before they ask for it.

Question 7

IPv6

Answer 7

Uses 128 bit address instead of 32 bit (IPv4). Eight group of 4 hexadecimal digits separated by colons. Loop back is truncated to ::1. fe80::/10 link-local addressing. unique local fc00::/7. site local FEC0::/10 Contains Unicast, Multicast and Anycast

Question 8

PRISM

Answer 8

Planning Tool for Resource Integration Synchronization and Management used by US intelligence to collect foreign intelligence passing through us networks

Question 9

Span Port

Answer 9

Switch configuration where one port has been altered to send a copy of all frames from one port to another or a succession of ports to another. also called port mirroring

Question 10

Mac Flooding

Answer 10

Flood switch with so many mac address that CAM table can’t keep up and becomes a Hub. Etherflood and Macof are flood tools. Sometimes called “switch port stealing” creates race contition and switch alters between bad and good mac address. None of this really works on most modern switches

Question 11

Content addressable memory (CAM Table)

Answer 11

memory referenced by switch that connects mac to port

Question 12

ARP Poisoning

Answer 12

Arp Spoofing gratuitous arp. This poisons the arp cache on a machine. Switches will forward ARP because they “broadcast”. Tools: Cain and Abel, WinArpAttacker, Ufasoft, dsnif (ARPspoof tool)

Question 13

ARP poisoning mitigation

Answer 13

Dynamic ARP inspection using DHCP snooping, Xarp, can add default gateway mac manually using (arp -s)

Question 14

DHCP

Answer 14

Dynamic Host Configuration Protocol. server Dynamically assigns IP address from a configured pool within a network. DORA Discover, offer, request, accept

Question 15

DHCP starvation

Answer 15

continually send requests until IP address pool is exhausted. Tools: Yersinia, DHCP Starve

Question 16

DHCP starvation Mitigation

Answer 16

Configure DHCP snooping

Question 17

Mac spoofing Mitigation

Answer 17

Utilize port security on switches. Assign mac addresses to specific ports.

Question 18

IRDP Spoofing

Answer 18

ICMP Router Discovery Protocol Spoof. Sends spoofed IRDP message though out the network advertising the gateway to start routing all messages though.

Question 19

WireShark DISPLAY FILTER syntax

Answer 19

uses “==” “&&” “or” “.” i.e. ip.addr==192.168.0.0&&tcp.port==23

Question 20

tcptrace

Answer 20

analyzes files produced by packet capture programs. can read from tcpdump, windDump, Wireshark and Etherpeek

Question 21

IDS evasion tools

Answer 21

Nessus, ADMmutate (can create scripts that are not easily recognizable by signature files), NIDSbench (older used for fragmentation), and Inundator (flooding tool). IDS Informer, Packet Generator and Packeth capture network traffic craft start to finish a test file to see what will get through

Question 22

Honey Pot

Answer 22

Catch and gain information on intruder. High And Low interaction: Former full of services and later only some services and can’t be totally compromised.
Former Honeynets and decoy server, later Specter, honeyd, KFSensor.
Place inside the DMZ make it look tasty.

Nessus and send-safe Honeypot Hunter good at locating them.

Question 23

circuit-layer firewall

Answer 23

layer 5 session layer firewall allows or prevent data streams

Question 24

Application Layer firewall

Answer 24

Layer 7 application layer allows or prevents services