Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

SEC504-Book 5 > Book 5: Hijacking Attacks > Flashcards

Book 5: Hijacking Attacks Flashcards

1
Q

A way in which we can hijack system information?

A

LLMNR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

what is Link-Local-Multicast Name Resolution?

A

NetBIOS and LLMNR are protocols used to resolve host names on local networks. Their main function is to resolve host names to facilitate communication between hosts on local networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Any time there is a system or service blindy reaching out for help to identify a system or service, an attacker can hijack that response and redirect the victim system through a computer we control.

A

true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

what is responder?

A

a tool that is designed to launch LLMNR attacks.
Automatically launches a number of services to redirect victim systems in order to harvest credentials
- HTTP, HTTPs, SQL Server, Kerberos, FTP, IMAP, SMTP, DNS, LDAP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Responder launches not only LLMNR attacks but also can launch __, ___ attacks

A

NBTS-NS

DNS/MDNS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What tool automatically launches a number of services to redirect victim systems to harvest credentials?

A

responder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

what is the goal of responder?

A

spoof a system, then be ready to intercept the authentication requests on the fly. In addition serve up malicious .exe files and force downgrade for LANMAN authentication (easier to crack)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Responder is a tool dedicated to answering stray LLMNR/MNT-NS/proxy requests

A

true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When a windows host cannot resolve a hostname using DNS, it uses the LLMNR protocol (Link-Local Multicast Name Resolution) to ask neighboring computers about it. If that also fails, then it uses the NBT-NS (NetBios Name Service).
When LLMNR/NBT-NS is used to resolve a name, any host on the network can reply. So, Responder is one of such tools that poisons the request.

A

true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Responder will not only harvest credentials, but can stand up a number of services, because the victim has to go to that server and do something. Whatever request the victim is making, the attacker needs to have that service running so the victim can authenticate in order to grab their credentials. in addition, servinig malicious files.

A

true.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Responder will not only harvest credentials, but can stand up a number of services, because the victim has to go to that server and do something. Whatever request the victim is making, the attacker needs to have that service running so the victim can authenticate in order to grab their credentials. in addition, serving malicious files.

A

true.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Responder will try and have a service that the victim can authenticate to in order to grab credentials?

A

true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

responder can force the victim to downgraded its authentication to LANMAN?

A

true. because they are easier to crack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How to start responder?

A

sudo /opt/Responder/Responder.py -I eth0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When a user requests a service where hostname isnt answered. Responder will reply to the final resolution attempt(Multicast DNS) with the attacksers IP address, forcing the user to connect to attacker service, potentially disclosing password hash info

A

yes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

session hijacking involves sniffing and spoofing?

A

yes.

17
Q

Defenses of session hijacking:

A
  • be careful with incoming connections.
  • Do not telnet to firewall
  • Do not telnet to CA
  • Utilize sstrong authentication and encryption path SSH or VPN
18
Q

As a defense to session hijacking you sould hard code your ARP tables.

A

yes

19
Q

hard coded arp tables cannot be overwritten by gratutious arps.

A

yes, BUT creates overhead because they must be updated in each system if and when changes occur

20
Q

Defenses

A
  1. activate port level security on switches
  2. dynamic ARP inspect with DHCP snooping
  3. Disable LLMNR
  4. ) use strong authentication and encrypted sessions (SSH or VPN)
21
Q

if originating host is compromised, strong authentication and encrypted paths do not help because session is stolen at the originating machine

A

yes

22
Q

Defense in Identification

A

arp -a on both linux and windows. checks for spurious Arp entries.

23
Q

what tools can be used for identifcation of sesion hijacking?

A

ARPwatch on LAN

CAMTableExport: across Network

24
Q

Identifcation of session hijacking from windows?

A

arp -a

ipconfig /displaydns

25
Q

Identification of session hijacking from UNIX?

A

arp -a or arp -e

strings /var/cache/nscd/hosts

26
Q

Containment of session hijacking?

A

drop spurious sessions : change password and restarting service to which attacker connected

27
Q

Erad/Rec

A

change passwords, rebuild systems

28
Q

hard coded ARP tables (having only a specific IP to MAC address mapping) cannot be overwritten by gratutious ARPS

A

true.

SEC504-Book 5 (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions