Chapter 9: Sniffers Flashcards Preview

my CEH - Certified Ethical Hacker > Chapter 9: Sniffers > Flashcards

Flashcards in Chapter 9: Sniffers Deck (16)
Loading flashcards...
1
Q

Promiscuous mode

A

network card setting to capture all traffic (including not yours)

2
Q

Active vs Passive Sniffing

A

ACTIVE - traffic is monitored & possibly altered

PASSIVE - traffic is only monitored

3
Q

HW protocol Analyzers

A

plug directly into the NW at the HW level & can monitor traffic w/ out manipulating traffic

Not easily accessible by ethical hackers & are extremely pricey

4
Q

Lawful Inception (LI)

A

aka Wiretapping; legally sanctioned access to communications NW data such as telephone calls or e-mail msgs

5
Q

In terms of LI, sniffing process is looked at as having 3 components

A

1) IAP (Intercept Access Point) - where info is fathered for the LI
2) Mediation device supplied by 3rd party that handles information processing
3) Collection function that stores &processes info intercepted by the 3rd party

6
Q

MAC Flooding

A

Most common method for enabling sniffing on a switch is to turn it into a device that does allow switching. We want to convert it to a hub-like environment

A switch keeps track of MAC addresses received by writing them to a content addressable memory (CAM) table;

If a switch is flooded with MAC addresses, it may overwhelm the switches ability to write its own CAM table; in turn it makes the switch fall into a giant hub

Tool: Macof

7
Q

CAM table

A

Content Accessible Memory table with a fixed size that stores information such as MAC address of each client, port they are attached to, & any VLAN info;

A CAM table is used by the switch to help get traffic to its destination, but when it’s full…..in older switches, it would cause the switch to fail “open” & act as a hub, the flood would spill over affecting adjacent switches

Must maintain flood to keep switch acting as a hub; if flooding stop, the time outs that are set on the switch will start clearing out the CAM table entries, allowing switch to go to normal operations

(in newer switches, the success rate of mac flooding is much lower)

8
Q

ARP Poisoning

A

Address Resolution Protocol poisoning //attempts to contaminate NW w/ improper gateway mappings

What ARP does is it maps IP addresses to specific MAC addresses thereby allowing switches to know most efficient path for data being sent

CON: ARP doesn’t have prerequisites for its sending or receiving process; ARP broadcasts free to roam NW at will;

PRO: Attacker takes advantage of this open traffic concept by feeding incorrect ARP mappings to the gateway itself or to the hosts of the NW

Tools: Ettercap, Cain & Abel, Arpspoof

9
Q

IP DHCP snooping feature

A

Counters ARP poisoning

Some switches have IP DHCP Snooping feature that verifies MAC-to-IP mappings & stores valid mappings in a DB

10
Q

MAC spoofing

A

when an attacker changes their MAC address to the MAC address of an existing authenticated machine already on the NW

Not a technique used for NW-side sniffing, but gives unauthorized access onto NW w/ out much effort

11
Q

Port security

A

Counters MAC Flooding, MAC Spoofing

low level security that allows a specific # of MAC addresses to attach to a switchport; If this is enabled, it allows MAC spoofing easier

12
Q

Port Mirror or SPAN port

A

This technique is through physical means; here you can need physical access to the switch & use port mirroring or Switched Port Analyzer (SPAN)

This technique sends a copy of every NW packet encountered on one switchport or a whole VLAN to another port where it may be monitored

Used to monitor traffic for diagnostic purposes or implementing devices such as NIDS (NW intrusion detection systems)

13
Q

SSH

A

Soft Shell used to Tunnel data (encrypt), securely get access to remote computer, widely used by NW admins to control servers and web remotely

14
Q

SSL

A

Secure Sockets Layer that encrypts data to keep prying eyes from altering traffic or seeing it

15
Q

Cain and Abel

A

ARP poisoning, password cracking, and sniffing

16
Q

Which cmd launches a CLI (command line interface) version of Wireshark?

A

tshark