Flashcards in Chapter 3 Deck (37)
Attackers often use a protocol analyzer to capture data sent over a network. After capturing the data, attackers can easily read the data within the protocol analyzer when it has been sent in cleartext.
DoS A denial-of-service (DoS)
service attack from a single source that attempts to disrupt the services provided by another system.
A distributed DoS (DDoS) attack
attack includes multiple computers attacking a single target.
Many protocols store data in cache for temporary access. Poisoning attacks attempt to corrupt the cache with different data.
Transmission Control Protocol/Internet Protocol (TCP/ IP)
provide basic connectivity. Other protocols, such as Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP), support specific types of traffic.
default port for HTTP
TCP. Transmission Control Protocol
provides connection-oriented traffic
TCP uses a three-way handshake and To start a TCP session, the client sends a SYN (synchronize) packet. The server responds with a SYN/ACK (synchronize/acknowledge) packet, and the client completes the third part of the handshake with an ACK packet to establish the connection.
UDP. User Datagram Protocol
provides connectionless sessions (without a three- way handshake). While TCP traffic provides guaranteed delivery, UDP makes a best effort to deliver traffic without using extra traffic to ensure delivery.
IP. The Internet Protocol (IP)
identifies hosts in a TCP/IP network and delivers traffic from one host to another using IP addresses.
IPv4 uses 32-bit addresses represented in dotted decimal format, such as 192.168.1.100.
IPv6 uses 128-bit addresses using hexadecimal code, such as FE80:0000:0000:0000:20D4:3FF7:003F:DE62.
ICMP. Internet Control Message Protocol
is used for testing basic connectivity and includes tools such as ping, pathping, and tracert.
ARP. Address Resolution Protocol
resolves IPv4 addresses to media access control (MAC) addresses.
ARP is required once the packet reaches the destination subnet.
ARP poisoning attacks
use ARP packets to give clients false hardware address updates and attackers use it to redirect or interrupt network traffic.
NDP. Neighbor Discovery Protocol
performs several functions on IPv6. For example, it performs functions similar to IPv4’s ARP. It also performs autoconfiguration of device IPv6 addresses and discovers other IPv6 devices on the network such as the address of the default gateway.
Which is used underlying protocol with voice and video streaming.
UDP. User Datagram Protocol
The Real-time Transport Protocol (RTP)
delivers audio and video over IP networks. This includes Voice over Internet Protocol (VoIP) communications, streaming media, video teleconferencing applications, and devices using web-based push-to-talk features.
The Secure Real-time Transport Protocol (SRTP)
provides encryption, message authentication, and integrity for RTP.
helps protect the confidentiality of data from these attacks while also ensuring the integrity of the data transmissions. This provides protection against replay attacks.
FTP. File Transfer Protocol
uploads and downloads large files to and from an FTP server. By default, FTP transmits data in cleartext, making it easy for an attacker to capture and read FTP data with a protocol analyzer.
TFTP. Trivial File Transfer Protocol
uses UDP port 69 and is used to transfer smaller amounts of data, such as when communicating with network devices. Many attacks have used TFTP, but it is not an essential protocol on most networks. Because of this, administrators commonly disable it.
SSH. Secure Shell
Uses TCP port 22
encrypts traffic in transit and can be used to encrypt other protocols such as FTP. Linux administrators often used Telnet when remotely administering systems, but this is not recommended because Telnet sends traffic over the network in cleartext.
SSL. The Secure Sockets Layer
was the primary method used to secure HTTP traffic as Hypertext Transfer Protocol Secure (HTTPS). SSL can also encrypt other types of traffic, such as SMTP and Lightweight Directory Access Protocol (LDAP). However, it has been compromised and is not recommended for use.
Secure Shell (SSH) encrypts traffic over TCP port 22.
TLS. The Transport Layer Security
protocol is the designated replacement
for SSL and should be used instead of SSL.
Additionally, many protocols that support TLS use STARTTLS. STARTTLS looks like an acronym, but it isn’t. Instead, it is a command used to upgrade an unencrypted connection to an encrypted connection on the same port.
IPsec. Internet Protocol security
is used to encrypt IP traffic. It is native to IPv6 but also works with IPv4. IPsec encapsulates and encrypts IP packet payloads and uses Tunnel mode to protect virtual private network (VPN) traffic.
SFTP. Secure File Transfer Protocol
is a secure implementation of FTP. It is an extension of Secure Shell (SSH) using SSH to transmit the files in an encrypted format. SFTP transmits data using TCP port 22.
Secure FTP (SFTP) uses SSH to encrypt traffic.
FTPS. File Transfer Protocol
an extension of FTP and uses TLS to encrypt FTP traffic. Some implementations of FTPS use TCP ports 989 and 990. However, TLS can also encrypt the traffic over the ports used by FTP (20 and 21).
FTP Secure (FTPS) uses TLS to encrypt traffic.
SMTP. Simple Mail Transfer Protocol
transfers email between clients and SMTP servers. SMTP uses TCP port 25. SMTP unofficially used port 465 with SSL and port 587 with TLS. However, it is now recommended that SMTP use STARTTLS to initialize a secure connection.
POP3 and Secure POP. Post Office Protocol v3 (POP3)
transfers emails from servers down to clients. POP3 uses TCP port 110. Secure POP3 encrypts the transmission with SSL or TLS and can use TCP port 995. However, STARTTLS is now recommended to create a secure connection on port 110.
IMAP4 and Secure IMAP.
Internet Message Access Protocol version 4 (IMAP4) is used to store email on an email server. IMAP4 allows a user to organize and manage email in folders
HTTP. Hypertext Transfer Protocol
transmits web traffic on the Internet and in intranets. Web servers use HTTP to transmit web pages to clients’ web browsers. Hypertext Markup Language (HTML) is the common language used to display the web pages. HTTP uses TCP port 80.
HTTPS. Hypertext Transfer Protocol Secure
encrypts web traffic to ensure it is secure while in transit. Web browsers commonly indicate that a secure session is using HTTPS by displaying a lock icon and by including HTTPS in the Uniform Resource Locator (URL) field. HTTPS is encrypted with either SSL or TLS and it uses TCP port 443.