04 Sniffing and Evasion Flashcards
- Given the following Wireshark filter, what is the attacker attempting to view?
((tcp.flags == 0x02) || (tcp.flags == 0x12) ) ||
((tcp.flags == 0x10) && (tcp.ack==1) && (tcp.len==0) )
A. SYN, SYN/ACK, ACK
B. SYN, FIN, URG, and PSH
C. ACK, ACK, SYN, URG
D. SYN/ACK only
A. You’ll see bunches of Wireshark questions on your exam—it’s probably the subject EC-Council loves the most regarding this chapter—and syntax will be the key to answering all of them. For this particular question subject, remember Wireshark has the ability to filter based on a hexadecimal numbering system assigned to TCP flags. The assigned flag hex numbers are FIN = 1, SYN = 2, RST = 4, PSH = 8, ACK = 16, and URG = 32. Putting these hex numbers together (for example, SYN + ACK = 12) allows you to simplify a Wireshark filter. For example, tcp.flags == 0x2 looks for SYN packets, tcp.flags == 0x16 looks for ACK packets, and tcp.flags == 0x12 looks for both (the attacker here will see all SYN packets, all SYN/ACK packets, and all ACK packets). In this example, the decimal numbers were used, just not in a simplified manner.
As far as the rest of Wireshark filtering syntax goes, there are a couple key points to remember. First, be sure to remember it uses double “equals” signs (==) in the expression (ip.addr = 10.10.10.0/24 won’t work, but ip addr == 10.10.10.0/24 will). Next, know the difference between the definitions for “and” and “or.” An “and” in the filter means both expressions will be queried and displayed, but only if both are true. (In other words, “Show me all packets containing this source address and headed toward this destination IP. If it’s from this source but going somewhere else, ignore it. If it’s headed to this destination but is not from this source, ignore it.”) An “or” in the filter means either of the expressions can be true (that is, “Show me all packets containing this source address and any packets going to this destination IP, no matter the destination or source address, respectively, for the two”).
B, C, and D are incorrect because these do not match the decimal numbers provided in the capture (2 for SYN, 18 for SYN/ACK, and 16 for ACK).
- A target machine (with a MAC of 12:34:56:AB:CD:EF) is connected to a switch port. An attacker (with a MAC of 78:91:00:ED:BC:A1) is attached to a separate port on the same switch with a packet capture running. There is no spanning of ports or port security in place. Two packets leave the target machine. Message 1 has a destination MAC of E1:22:BA:87:AC:12. Message 2 has a destination MAC of FF:FF:FF:FF:FF:FF. Which of the following statements is true regarding the messages being sent?
A. The attacker will see message 1.
B. The attacker will see message 2.
C. The attacker will see both messages.
D. The attacker will see neither message.
B. This question is all about how a switch works, with a little MAC knowledge thrown in. Remember that switches are designed to filter unicast messages but to flood multicast and broadcast messages (filtering goes to only one port, whereas flooding sends to all). Broadcast MAC addresses in the frame are easy to spot—they’re always all Fs, indicating all 48 bits turned on in the address. In this case, message 1 is a unicast address and went off to its destination, whereas message 2 is clearly a broadcast message, which the switch will gladly flood to all ports, including the attacker’s.
Other versions of this same question will center on the efforts an attacker can use to see that packet. Should the attacker desire to see all messages, a MAC flood could turn the switch into a hub, effectively flooding all packets to all ports. Another option is to span a port (break into the configuration of the switch and tell it to send all traffic destined for a specific port to that port and to the attacker’s). Lastly, port stealing (a totally fun memorization term from EC-Council) allows an attacker to take advantage of the race condition (where the switch is constantly updating MAC address bindings for ports) during a MAC flood attempt to effectively steal a port and sniff all traffic aimed for the target machine.
A is incorrect because the unicast destination MAC does not match the attacker’s machine. When the frame is read by the switch and compared to the internal address list (CAM table), it will be filtered and sent to the appropriate destination port.
C is incorrect because the switch will not flood both messages to the attacker’s port—it floods only broadcast and multicast.
D is incorrect because the broadcast address will definitely be seen by the attacker.
- You have tapped into a network subnet of your target organization. You begin an attack by learning all significant MAC addresses on the subnet. After some time, you decide to intercept messages between two hosts. You send broadcast messages to Host A showing your MAC address as belonging to Host B. What is being accomplished here?
A. ARP poisoning to allow you to see all messages from either host without interrupting their communications process
B. ARP poisoning to allow you to see messages from Host A to Host B
C. ARP poisoning to allow you to see messages from Host B to Host A
D. ARP poisoning to allow you to see messages from Host A destined to any address
E. ARP poisoning to allow you to see messages from Host B destined to any address
B. ARP poisoning is a relatively simple way to place yourself as the “man in the middle” and spy on traffic (by the way, be careful with the term man in the middle because it usually refers to a position where you are not interrupting traffic). The ARP cache is updated whenever your machine does a name lookup or when ARP (a broadcast protocol) receives an unsolicited message advertising a MAC-to-IP match. In this example, you’ve told Host A that you hold the MAC address for Host B. Host A will update its cache, and when a message is being crafted by the OS, it will happily put the spoofed address in its place. Just remember that ARP poisoning is oftentimes noisy and may be easy to discover if port security is enabled: depending on implementation, the port will lock (or amber in nerd terminology) when an incorrect MAC tries to use it or when multiple broadcasts claiming different MACs are seen. Additionally, watch out for denial-of-service side effects of attempting ARP poisoning—you may well bring down a target without even trying to, not to mention Host B is eventually going to find out it’s not receiving anything from Host A. As a side note, detection of ARP poisoning can be done with a tool called xARP (www.chrismc.de).
A is incorrect for a couple reasons. First, you won’t receive messages from each host addressed to anywhere in the world—you’ll only receive messages addressed from Host A to Host B. Second, the communications flow between the two hosts will be affected by this. As a matter of fact, Host A can never talk to Host B: the ARP poisoning has all messages going to you, the hacker.
C is incorrect because you didn’t poison Host B’s cache—Host A was the target.
D is incorrect because you didn’t poison Host A’s mapping to the default gateway or anything like that—you will only receive messages intended for Host B.
E is incorrect because you did not poison Host B at all.
- Your target subnet is protected by a firewalled DMZ. Reconnaissance shows the external firewall passes some traffic from external to internal, but blocks most communications. HTTP traffic to a web server in the DMZ, which answers to www.somebiz.com, is allowed, along with standard traffic such as DNS queries. Which of the following may provide a method to evade the firewall’s protection?
A. An ACK scan
B. Firewalking
C. False positive flooding
D. TCP over DNS
D. Of the choices provided, TCP over DNS is the only one that makes any sense. TCP over DNS is exactly what it sounds like—sending TCP traffic that would otherwise use a different port number in packets using port 53. Because the firewall usually allows DNS requests to pass, hiding traffic under port 53 is convenient and fairly easy. The whole thing does require a special DNS server and DNS client setup, but the steps to pull it off aren’t rocket science. While TCP over DNS will allow you to evade the firewall and send traffic internally, it will not provide you instant access to machines or anything like that—it simply allows you to send traffic unnoticed through a firewall. TCP over DNS tools include Iodine (http://code.kryo.se/iodine/), DNS Tunnel (http://dnstunnel.de), and Netcross (https://sourceforge.net/projects/netcross).
Another very common option for passing traffic through a firewall is HTTP tunneling. The same principle applies, except in HTTP tunneling you abuse port 80 instead of port 53. HTTP tunneling tools include httPort (www.targeted.org), SuperNetwork Tunnel (networktunnel.net), and httP-Tunnel (www.http-tunnel.com).
A is incorrect because an ACK scan does nothing to hide traffic or evade the firewall. The scan itself would be loud and noisy, and it would not affect the firewall at all.
B is incorrect because firewalking is a great technique to discover which ports are open (that is, which ports the firewall is allowing to pass) and which are closed. However, it does nothing to hide traffic or evade any suspicion.
C is incorrect because while false positive flooding does provide good “cover fire” for an attacker in an IDS, it does nothing to affect the firewall in any way—traffic to other ports will be blocked because that’s just what a firewall does.
- Which of the following is the best choice in setting an NIDS tap?
A. Connect directly to a server inside the DMZ.
B. Connect directly to a server in the intranet.
C. Connect to a SPAN port on a switch.
D. Connect to the console port of a router. - You have a large packet capture file in Wireshark to review
C. A network intrusion detection system (NIDS) only works well if it can see all the network traffic, and placement obviously makes a huge difference. One common implementation is to connect via a SPAN (Switched Port Analyzer) port on a switch. The configuration for a SPAN port ensures all traffic from a defined range of ports is also sent to the SPAN port. This makes the best option for your NIDS tap, at least as far as this question goes: in the real world, you would most likely set up a passive tap, positioned in the correct location to see everything coming across the wire.
A is incorrect because connecting directly to a single server would give you only the traffic sent to that server (or that server’s subnet, provided the server is watching promiscuously and is configured appropriately). In this case, the DMZ’s traffic is all you’d see.
B is incorrect because connecting directly to a single server would give you only the traffic sent to that server (or that server’s subnet, provided the server is watching promiscuously and is configured appropriately). In this case, the intranet’s traffic is all you’d see.
D is incorrect because connecting to the console port on a router would provide access to no traffic at all. The console port on the router is used specifically for configuration and management of the router.
- You have a large packet capture file in Wireshark to review. You want to filter traffic to show all packets with an IP address of 192.168.22.5 that contain the string HR_admin. Which of the following filters would accomplish this task?
A. ip.addr==192.168.22.5 &&tcp contains HR_admin
B. ip.addr 192.168.22.5 && “HR_admin”
C. ip.addr 192.168.22.5 &&tcp string ==HR_admin
D. ip.addr==192.168.22.5 + tcp contains tide
A. This is a perfect example of a typical question on your exam regarding Wireshark syntax. Answer A is the only one that sticks to Wireshark filter syntax. Definitely know the ip.addr, ip.src, and ip.dst filters; the “tcp contains” filter is another favorite of test question writers. When you combine filters in one search, use the && designator, and don’t forget the use of double equals signs. Another fun version of this same question involves reading the output from Wireshark. A tool that can help you out with the raw files—including output from other tools like tcpdump—is tcptrace (www.tcptrace.org/).
B, C, and D are all incorrect because the syntax is wrong for Wireshark filters. As an aside, a great way to learn the syntax of these filters is to use the expression builder directly beside the filter entry box. It’s self-explanatory and contains thousands of possible expression builds.
- Which of the following techniques can be used to gather information from a fully switched network or to disable some of the traffic isolation features of a switch? (Choose two.)
A. DHCP starvation
B. MAC flooding
C. Promiscuous mode
D. ARP spoofing
B, D. Switches filter all traffic—unless you tell them otherwise, make them behave differently, or the traffic is broadcast or multicast. If you can gain administrative access to the IOS, you can tell it to behave otherwise by configuring a span port (which sends copies of messages from all ports to yours). Legitimate span ports are designed for things such as a network IDS. To make the switch behave differently (at least on older switches, because newer ones don’t allow this much anymore), send more MAC addresses to the switch than it can handle. This fills the CAM and turns the switch, effectively, into a hub (sometimes called a fail open state). Using a tool such as MacOF or Yersinia, you can send thousands and thousands of fake MAC addresses to the switch’s CAM table. ARP spoofing doesn’t really involve the switch much at all—it continues to act and filter traffic just as it was designed to do. The only difference is you’ve lied to it by faking a MAC address on a connected port. The poor switch, believing those happy little ARP messages, will forward all packets destined for that MAC address to you instead of the intended recipient. How fun!
A is incorrect because DHCP starvation is a form of a DoS attack, where the attacker “steals” all the available IP addresses from the DHCP server, which prevents legitimate users from connecting.
C is incorrect because the term promiscuous applies to the way a NIC processes messages. Instead of tossing aside all messages that are not addressed specifically for the machine (or broadcast/multicast), promiscuous mode says, “Bring ’em all in so we can take a look at them using our handy sniffing application.”
- Which of the following statements is true regarding the discovery of sniffers on a network?
A. To discover the sniffer, ping all addresses and examine the latency in responses.
B. To discover the sniffer, send ARP messages to all systems and watch for NOARP responses.
C. To discover the sniffer, configure the IDS to watch for NICs in promiscuous mode.
D. It is almost impossible to discover the sniffer on the network.
D. This question is more about active versus passive sniffing than anything else. I’m not saying it’s impossible, because almost nothing is, but discovering a passive sniffer on your network is very difficult. When a NIC is set to promiscuous mode, it just blindly accepts any packet coming by and sends it up the layers for further processing (which is what allows Wireshark and other sniffers to analyze the traffic). Because sniffers are sitting there pulling traffic and not sending anything in order to get it, they’re difficult to detect. Active sniffing is another thing altogether. If a machine is ARP spoofing or MAC flooding in order to pull off sniffing, it’s much easier to spot it.
A is incorrect because the premise is absolutely silly. Thousands of things can affect latency in response to a ping, but running a sniffer on the box isn’t necessarily one of them, nor is latency an indicator of one being present.
B is incorrect because NOARP is a Linux kernel module that filters and drops unwanted ARP requests. It’s not a response packet we can discover sniffers with.
C is incorrect because it’s impossible to watch for NICs in promiscuous mode. The NIC is simply doing the same job every other NIC is doing—it’s sitting there pulling traffic. The network IDS wouldn’t know, or care, about it.
- Which of the following could provide a useful defense against ARP spoofing? (Choose all that apply.)
A. Using ARPWALL
B. Setting all NICs to promiscuous mode
C. Using private VLANs
D. Using static ARP entries
A, C, D. ARPWALL is an application available for download from SourceForge (http://sourceforge.net/projects/arpwall/). It gives an early warning when an ARP attack occurs and simply blocks the connection. Virtual LANs (VLANs) provide a means to create multiple broadcast domains within a single network. Machines on the same switch are in different networks, and their traffic is isolated. Since ARP works on broadcast, this can help prevent large-scale ARP spoofing. Per courseware, static ARP entries are a good idea and at least one way to fix ARP poisoning, since no matter what is banging around out on the network, the system uses the static mapping you configured. An IDS may also be helpful in spotting ARP shenanigans, but it wouldn’t necessarily do anything about them.
B is incorrect because setting NICs to promiscuous mode wouldn’t do a thing to prevent a broadcast message (ARP) from being received.
- Examine the following Snort rule:
alerttcp !$HOME_NET any -> $HOME_NET 23 (content:
“admin”;msg:”Telnet attempt..admin access”;)
Which of the following statements are true regarding the rule? (Choose all that apply.)
A. This rule will alert on packets coming from the designated home network.
B. This rule will alert on packets coming from outside the designated home address.
C. This rule will alert on packets designated for any port, from port 23, containing the “admin” string.
D. This rule will alert on packets designated on port 23, from any port, containing the “admin” string.
B, D. Snort rules, logs, entries, and configuration files will definitely be part of your exam. This particular rule takes into account a lot of things you’ll see. First, note the exclamation mark (!) just before the HOME_NET variable. Any time you see this, it indicates the opposite of the following variable—in this case, any packet from an address not in the home network and using any source port number, intended for any address that is within the home network. Following that variable is a spot for a port number, and the word any indicates we don’t care what the source port is. Next, we spell out the destination information: anything in the home network and destined for port 23. Finally, we add one more little search before spelling out the message we want to receive: the “content” designator allows us to spell out strings we’re looking for.
A and C are incorrect because these statements are polar opposite to what the rule is stating.
- You want to begin sniffing, and you have a Windows laptop. You download and install Wireshark but quickly discover your NIC needs to be in promiscuous mode. What allows you to put your NIC into promiscuous mode?
A. Installing lmpcap
B. Installing npcap
C. Installing WinPcap
D. Installing libPcap
E. Manipulating the NIC properties through Control Panel | Network and Internet | Change Adapter Settings
C. To understand this, you have to know how a NIC is designed to work. The NIC “sees” lots of traffic but pulls in only the traffic it knows belongs to you. It does this by comparing the MAC address of each frame against its own: if they match, it pulls the frame in and works on it; if they don’t match, the frame is ignored. If you plug a sniffer into a NIC that looks only at traffic designated for the machine you’re on, you’ve kind of missed the point, wouldn’t you say? Promiscuous mode tells the NIC to pull in everything. This allows you to see all those packets moving to and fro inside your collision domain. WinPcap is a library that allows NICs on Windows machines to operate in promiscuous mode.
A is incorrect because lmpcap does not exist.
B is incorrect because npcap does not exist.
D is incorrect because libPcap is used on Linux machines for the same purpose—putting cards into promiscuous mode.
E is incorrect because accessing the Change Adapter Settings window does not allow you to put the card into promiscuous mode—you still need WinPcap for this.
- A network and security administrator installs an NIDS. After a few weeks, a successful intrusion into the network occurs and a check of the NIDS during the timeframe of the attack shows no alerts. An investigation shows the NIDS was not configured correctly and therefore did not trigger on what should have been attack alert signatures. Which of the following best describes the actions of the NIDS?
A. False positives
B. False negatives
C. True positives
D. True negatives
B. When it comes to alerting systems, false negatives are much more concerning than false positives. A false negative occurs when traffic and circumstances are in place for an attack signature, but the IDS does not trigger an alert. In other words, if your system is firing a lot of false negatives, the security staff may feel like they’re secure when, in reality, they’re really under a successful attack. Keep in mind a false negative is different from your IDS simply not seeing the traffic. For example, if you tell your IDS to send an alert for Telnet traffic and it simply didn’t see those packets (for whatever reason), that may be a false negative for exam purposes but in the real world is probably more of a configuration issue. A better example of a false negative in the real world would be for the attacker to encrypt a portion of a payload so that the IDS doesn’t recognize it as suspicious. In other words, the IDS sees the traffic, but it just doesn’t recognize anything bad about it.
A is incorrect because false positives occur when legitimate traffic is alerted on as if something was wrong with it. Keeping false positives to a minimum is a concern when choosing and configuring an IDS.
C and D are incorrect because these are not legitimate terms.
- A pen test member has gained access to an open switch port. He configures his NIC for promiscuous mode and sets up a sniffer, plugging his laptop directly into the switch port. He watches traffic as it arrives at the system, looking for specific information to possibly use later. What type of sniffing is being practiced?
A. Active
B. Promiscuous
C. Blind
D. Passive
E. Session
D. This is one of those weird CEH definitions that drive us all crazy on the exam. Knowing the definition of passive versus active isn’t really going to make you a better pen tester, but it may save you a question on the test. When it comes to sniffing, if you are not injecting packets into the stream, it’s a passive exercise. Tools such as Wireshark are passive in nature. A tool such as Ettercap, though, has built-in features to trick switches into sending all traffic its way, and other sniffing hilarity. This type of sniffing, where you use packet interjection to force a response, is active in nature. As a quick aside here, for you real-world preppers out there, true passive sniffing with a laptop is pretty difficult to pull off. As soon as you attach a Windows machine, it’ll start broadcasting all kinds of stuff (ARP and so on), which is, technically, putting packets on the wire. The real point is that passive sniffing is a mindset where you are not intentionally putting packets on a wire.
A is incorrect because in the example given, no packet injection is being performed. The pen tester is simply hooking up a sniffer and watching what comes by. The only way this can be more passive is if he has a hammock nearby.
B is incorrect because the term promiscuous is not a sniffing type. Instead, it refers to the NIC’s ability to pull in frames that are not addressed specifically for it.
C is incorrect because the term blind is not a sniffing type. This is included as a distractor.
E is incorrect because the term session is not a sniffing type. This is included as a distractor.
- Which of the following are the best preventive measures to take against DHCP starvation attacks? (Choose two.)
A. Block all UDP port 67 and 68 traffic.
B. Enable DHCP snooping on the switch.
C. Use port security on the switch.
D. Configure DHCP filters on the switch.
B, C. DHCP starvation is a denial-of-service attack EC-Council somehow slipped into the sniffing section. The attack is pretty straightforward: the attacker requests all available DHCP addresses from the server, so legitimate users cannot pull an address and connect or communicate with the network subnet. DHCP snooping on a Cisco switch (using the ip dhcp snooping command) creates a whitelist of machines that are allowed to pull a DHCP address. Anything attempting otherwise can be filtered. Port security, while not necessarily directly related to the attack, can be a means of defense as well. By limiting the number of MACs associated with a port, as well as whitelisting which specific MACs can address it, you could certainly reduce an attacker’s ability to drain all DHCP addresses.
As a side note, you may also see a question relating to how DHCP works in the first place. An easy way to remember it all is with the acronym DORA: Discover, Offer, Request, and Acknowledge. Additionally, packets in DHCPv6 have different names than those of DHCPv4. DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, and DHCPACK are known as Solicit, Advertise, Request (or Confirm/Renew), and Reply, respectively.
A is incorrect because blocking all UDP 67 and 68 traffic would render the entire DHCP system moot because no one could pull an address.
D is incorrect because DHCP filtering is done on the server and not the switch. DHCP filtering involves configuring the whitelist on the server itself.
- Which of the following tools is the best choice to assist in evading an IDS?
A. Nessus
B. Nikto
C. Libwhisker
D. Snort
C. It’s a hallmark of EC-Council certification exams to have a few off-the-wall, tool-specific questions, and this is a great example. Libwhisker (https://sourceforge.net/projects/whisker/) is a full-featured Perl library used for a number of things, including httP-related functions, vulnerability scanning, exploitation, and IDS evasion. In fact, some scanners actually use libwhisker for session splicing in order to scan without being seen.
A is incorrect because Nessus is a vulnerability scanner and, on its own, is not designed to evade IDS detection.
B is incorrect because Nikto, like Nessus, is a vulnerability scanner and, on its own, is not designed to evade IDS detection.
D is incorrect because Snort is an IDS itself. Snort is also a perfectly acceptable sniffer.
