Exam 1 Flashcards

Question 1

Q

Types of Digital Forensics

Answer

A

Media, Cloud, Network, Mobile, Memory, Audio/Visual, Database/Web Apps, Internet of Things, Reverse-Engineering Malware.

Question 2

Q

Network Forensics Definition

Answer

A

Sub‐discipline of digital forensics concerned with the monitoring and analysis of computer network traffic for use in cyber crime investigations.

Question 3

Q

Importance of Network Foreniscs

Answer

A

Network traffic is volatile data
• Lost after transmission
• Stored in memory and not saved to storage media

Question 4

Q

PCAP

Answer

A

Full Packet Capture files (PCAPs). Contains bit for bit copies of the packets that traversed the network segment.

Question 5

Q

Netflow Logs

Answer

A

Contains a summary of network traffic over a period of time.

No actual packet content!

Question 6

Q

Typical Network Traffic Evidence and Analysis

Answer

A

PCAPS, Netflow Logs, Networking Device Logs, Security Appliance Logs.

Question 7

Q

PCAP Tools

Answer

A

Packet Sniffer, Protocol Analyzer.

Question 8

Q

Packet Sniffer

Answer

A

Used to place a NIC in “promiscuous” mode to
capture all network traffic packets that traverse the NIC.
Record the packets.

Question 9

Q

Protocol Analyzer

Answer

A

Used to examine the packets and determine what “type” of data they may contain.
Interpret (“make sense of”) the packets.

Question 10

Q

Networking Device Logs

Answer

A

Logs created by hubs, switches, and routers of traffic that traversed the device.
Small Buffer window size is a problem (coffee shop logs get lost fast!).

Question 11

Q

Security Appliance Logs

Answer

A

Firewall/IDS logs of activity.

Only “flagged” or “blocked” special events logged.

Question 12

Q

Commonly used Network Forensics Tools

Answer

A

TCPDUMP.

Wireshark.

Question 13

Q

TCPDUMP

Answer

A

Command Line.
UNIX‐Based OS.
• Sniffer/Protocol Analyzer
• Capture Filters
• Display Filters
• Partial Packet Capturing
• Headers, no content
• Fast!
• Very little overhead
• Great for filtering down
large PCAPs

Question 14

Q

Wireshark

Answer

A

GUI
• Both UNIX and Windows OS
• Sniffer/Protocol Analyzer
• Capture Filters
• Display Filters
• Only Full Packet Capture
• Always content
• VERY Slow!
• Do NOT try to open a very
large PCAP with Wireshark!

Question 15

Q

Networking Definition

Answer

A

The process two or more nodes in the network sharing data over a communication channel.
(Two or more computing devices transmitting bits of data to/from one another over wires/radio waves).

Question 16

Q

Internet Defintion

Answer

A

The Internet came about as a global system of computer
networking.
• A globally interconnected Wide Area Network (WAN)
• Uses the protocols of the TCP/IP Protocol Suite

Question 17

Q

Network Model Definition

Answer

A

A network model compartmentalizes problem into subtasks.
• Easier to design protocols and applications to handle smaller subtasks.
• Layer them to work together to get the overall job done.
• Theoretical only to help understand process.

Question 18

Q

OSI Model

Answer

A

Open Systems Interconnected (OSI) Reference Model.
Consists of 7 Layers
• Numbered 1‐7
• Upper Layers (5‐7) = Application
• Lower Layers (1‐4) = Data‐Flow
• Please Do Not Throw Special Pizza Away

Question 19

Q

OSI Layers

Answer

A

• Please Do Not Throw Special Pizza Away
Physical.
Data Link.
Network.
Transport.
Session.
Presentation.
Application.

Question 20

Q

OSI Model: Layer 1

Answer

A

Physical.
Function: Transmission of binary bits through a medium.
Data Units: Bits
Devices:
• Transmission Medium (Copper/Fiber Optic Cabling and Radio Waves)
• Network Interface Card (NIC)
• Sort of Hubs and Repeaters, Modems

Question 21

Q

NIC

Answer

A

Network Interface Card.
Interface between the host system and network.
ipconfig shows all NICS.
Responsible for signal transmission on the medium.
Each NIC has its own MAC address.
Doesn’t always match machine it’s own.
Both Layer 1 and Layer 2 device.

Question 22

Q

Repeater

Answer

A

Takes an input signal and transmits it back out.
• What comes in one port is transmitted out the other port.
Layer 1 device, but not actually used anymore.

Question 23

Q

Hub

Answer

A

The input signal in any port is broadcast out all others.
• A multiport repeater
• Broadcasts = no device addressing
• Everybody gets everything transmitted
• Receiver decides if it's for them

Question 24

Q

Modem

Answer

A

Stands for Modulator‐Demodulator
• Used to transmit binary bits over wavelength transmission media (instead of electrical impulses).
• Does nothing intelligent, just facilitates movement.

Question 25

Q

OSI Model: Layer 2

Answer

A

Data Link Layer (PHYSICAL)
Function: Define how systems directly connected on same physical network communicate.
• Defines how data is placed onto the medium (wire/waves).
• Physical Network = Local Area Network (LAN)
• Also performs error detection for Layer 1 transmission errors
• Data Units: (802.3 and 802.11) Frames
• Devices: Switches and Bridges (2 port switch), NICS

Question 26

Q

MAC Sublayer

Answer

A

Media Access Control (MAC) Sublayer (Layer 2).
• Methods for accessing shared transmission medium.
• Organizes data into frames transmitted as bits by Physical Layer.
Physical addressing schema: MAC Addresses

Question 27

Q

MAC Address Definition

Answer

A

Physical addressing schema for MAC Sublayer.
• Allows physically connected devices to communicate directly
• No more broadcasting! (most of the time).
Associated directly with NICs (globally unique per NIC.

Question 28

Q

MAC Address Structure

Answer

A

Six bytes in length
• Typically represented in Hex with bytes separated by dashes.
• Sometimes delimited with colons
• First 3 bytes are Organizationally Unique Identifier (OUI)
• Identifies vendor of NIC
• Last 3 bytes are unique to the NIC

Question 29

Q

Two Main Layer 2 Standards

Answer

A

IEEE 802.3 – Ethernet
IEEE 802.11 – WiFi
Specify a meaningful way to place data as bits on the wire
Frames

Question 30

Q

Frame

Answer

A

Data unit of Layer 2 standards used to more intelligently route data to physically connected devices and
provide some error checking.

Question 31

Q

Switch

Answer

A

Learns the MAC Address of all connected devices
• Maps them to ports in Content Addressable Memory (CAM) Table
• Traffic is forwarded to only the port of the specific destination device
• By destination MAC address
• No broadcasting everything!

Question 32

Q

OSI Model: Layer 3

Answer

A

Network Layer (LOGICAL)
• Function: Internetworking.
• Logically connecting small physical networks (LANs) to one another
• Routing traffic between these LANs
• Provides a means of fragmenting data to fit fixed sizes
• Data Units: (IPv4 and IPv6) Packets
• Devices: Routers, also Layer 3 switches

Question 33

Q

IPv4 Addresses

Answer

A

“Logical Address”
• Assigned/Maintained by Internet Registries
• 4 bytes (32 bits) in length
• Dotted‐Decimal Notation
• A system’s IP address is made up of:
• Network ID (left bits)
• Host ID (right bits)

Question 34

Q

Internet Registries

Answer

A

Internet Assigned Numbers Authority (IANA) oversees IP address allocation assignments
• Part of ICANN
• Delegates this authority to RIRs

Question 35

Q

ICANN

Answer

A

Internet Corporation for Assigned Names and Numbers

Question 36

Q

RIRs

Answer

A

Regional Internet Registries

Question 37

Q

IPv4 Classes

Answer

A

The size of a registered block of IP addresses varies depending on the size of the network.
• The size of the block is determined by the “class” of the block.
Class A: N.H.H.H. (Largest)
Class B: N.N.H.H.
Class C: N.N.N.H.

Question 38

Q

Private IPv4 Addresses

Answer

A

There are special reserved blocks of IPs for private IP
addresses
• Can be used by anyone without permission from Registries
• Cannot be used to transmit over the Internet
• Can only be used internally within a network
• Network Address Translation (NAT) allows private IPs to communicate across the Internet

Question 39

Q

NAT

Answer

A

Network Address Translation.

Allows private IPs to communicate across the Internet.

Question 40

Q

IPv6 Addresses

Answer

A

Gives us more address possibilities.
Been “transitioning” to this since the 90s.
Represented as 8 groups of four hex digits separated by colons.

Question 41

Q

IPv4/IPv6 Packets

Answer

A

Data unit of Layer 3 that is used to route traffic between physical networks using IP addressing.
The IP Packet is the PAYLOAD of the Layer 2 Frame.

Question 42

Q

Router

Answer

A

Main Layer 3 device used to route traffic between non‐
physically connected networks by IP address.
• Check to see if traffic is destined for their Network ID
• If yes, forward to the device
• If no, forward to a device that may know where the network with that ID is located.
• They can determine where to forward traffic by their routing table.

Question 43

Q

OSI Model: Layer 4

Answer

A

Transport Layer.
Function: Setting up end‐to‐end (host‐to‐host) connections
• Data needs to be transmitted in fixed sized segments
• Provides a means of segmenting data and delivering those segments
• Reliability, flow control, and connection‐oriented data stream support (through TCP)
• Provides multiplexing (through port addressing)
• Data Units: TCP Segments or UDP Datagrams
• Devices: N/A

Question 44

Q

UDP

Answer

A

User Datagram Protocol (datagrams)
• Layer 4.
• Connectionless
• Don’t set up a formal connection, just send the data
• Unreliable, send it out and hope they arrive and mostly in order
• No Flow Control
• Positive: Fast Transmission!
• Payload of Layer 3 Packet

Question 45

Q

TCP

Answer

A

Transmission Control Protocol (segments)
• Layer 4
• Connection‐Oriented
• Set up formal connection before transmitting data
• Reliable, makes sure all data gets to end point, in order, without errors
• Retransmit if necessary
• Flow Control
• Negative: A lot of overhead!
• Payload of Layer 3 Packet

Question 46

Q

Port Addressing

Answer

A

Ports are used for Layer 4 addressing
• Ports give us multiple endpoints on an end‐host for
communications (multiplexing)
• Computer applications can listen on their own ports
• Enables the use of more than one network communicating application at a time

Question 47

Q

OSI Model: Layer 5

Answer

A

Session Layer.
• Establishes and cleanly terminates communication sessions
• Provides authentication and authorization for sessions

Question 48

Q

OSI Model: Layer 6

Answer

A

Presentation Layer.

• Translates data from lower layers into a format understandable by the application

Question 49

Q

OSI Model: Layer 7

Answer

A

Application Layer.

• Protocols used by applications to interface with the user system and network with other applications

Question 50

Q

TCP/IP Protocol Suite Definition

Answer

A

TCP/IP Model more accurately maps to real‐world
internetworking p.rotocols and services.
Using TCP Transport protocol in conjunction with IP Network protocol.

Question 51

Q

TCP/IP Protocol Suite Layers

Answer

A

Application Layer (Session, Presentation, Application)
Transport (Transport)
Internet (Network) Also called Network.
Network Access (Physical, Data Link) Also called Data Link or Link.

Question 52

Q

Data Encapsulation Definition

Answer

A

Frames, Packets, Segments/Datagrams
• Each data unit contains the data from the above layer.
• This is called data encapsulation

Question 53

Q

Data Encapsulation Process

Answer

A

An application has some data to transmit over the network
• The data is segmented into TCP segments or UDP datagrams for transmission and addressed using ports
• Each segment/datagram is the payload of an IP packet addressed to a logical IP address
• Each IP packet is the payload of an 802.3/802.11 frame addressed to a physical MAC address
• The frame is transmitted as bits across the medium

Question 54

Q

Network Protocols Definition

Answer

A

Formal standards compromised of rules, procedures, and formats that specify communication over a network.

Question 55

Q

Link Layer Protocols

Answer

A

IEEE 802.3 (Ethernet)
IEEE 802.11 (WiFi)
Address Resolution Protocol (ARP)

Question 56

Q

IEEE 802.3

Answer

A

Ethernet
IEE Standards (not actually Protocols)
Specifies Link Frame contents for wired communications
• Standardizes cabling and interface requirements
• Standardizes auto-negotiation to allow backwards compatibility

Question 57

Q

IEEE 802.11

Answer

A

WiFi
IEE Standards (not actually Protocols)
• Specifies Link Frame contents for wireless communications
• Standardizes frequencies and modulation techniques

Question 58

Q

ARP

Answer

A

Address Resolution Protocol (ARP)
• ARP maps logical IPv4 addresses to their corresponding physical MAC addresses
• Logical address to physical address mapping
• How we know a system’s MAC address on a physical network.
• Link Layer (2) Protocol

Question 59

Q

ARP Process

Answer

A

Devices on the same physical network can directly forward traffic by MAC address
ARP packets are encapsulated in payload of a frame
Considered Link Layer b/c this is LAN‐based protocol
Broadcast MAC address to find who’s it is.
Two types of ARP packets: Requests and Replies

Question 60

Q

LAN

Answer

A

Local Area Network (physical)
Small, privately setup and maintained, high speed network covering a small geographic area.
Wireless LAN (WLAN) = WiFi.

Question 61

Q

WAN

Answer

A

Wide Area Network (logical)
• Very large with no geographic restrictions, commonly connecting LANs together
• “Logical” networks
• May be private for enterprise (using leased lines)
• May be publicly accessible by anyone (THE Internet)

Question 62

Q

What if the IP we request isn’t on our local network?

Answer

A

The router will see the ARP request (its broadcast)
The router will check its routing table for a path to the IP and respond with its (the router’s) MAC address if it has a path

Question 63

Q

ARP Cache

Answer

A

End systems have an ARP Cache
Dynamically populated by recently resolved ARP requests for faster future transmissions
May also be made to contain some static entries

Question 64

Q

Network Layer Protocols

Answer

A

Internet Protocol (IPv4 and IPv6)
Internet Control Message Protocol (ICMP and ICMPv6)

Answer 65

A

Protocols for routing traffic between physical networks
(internetworking)
• Route and deliver packets to target based on IP addressing

Answer 66

A

Sends error messages and operational information to network devices
ICMP datagrams are encapsulated in the payload of IPv4 packet
Like ARP, it is considered a Network Layer protocol despite being encapsulated within a Network Layer packet because it is strictly IP based (no Transport Layer or App Layer roles here)

Answer 67

A

Type 8 (Echo Request) and Type 0 (Echo Reply)
Type 3 (Destination Unreachable)
Type 11 (Time Exceeded)

Answer 68

A

Type 8 (Echo Request) and Type 0 (Echo Reply)
Test reachability of a host by IP address
Ping utility

Answer 69

A

Type 3 (Destination Unreachable)

* Router informs source host that the requested destination is unreachable

Answer 70

A

Type 11 (Time Exceeded)
Notify source host that IP packet’s Time‐to‐Live (TTL) value reached zero without reaching destination
Traceroute utility

Answer 71

A

TCP Segment contains a “flags”
Synchronize (SYN): Used to establish a connection
Acknowledge (ACK): Acknowledge receipt
Push (PSH): Push data to receiver
Reset (RST): Used to reset a connection
Final (FIN): Release the connection

Answer 72

A

DHCP and DHCPv6
DNS
HTTP and HTTPS
File access protocols: FTP, SMB
Mail protocols: SMTP, IMAP, POP
Remote access protocols: Telnet, SSH, RDP, VPNs

Answer 73

A

Dynamic Host Configuration Protocol
Application Layer Protocol
Dynamically assign IP addresses to hosts on a network
UDP port 67 (server)
UDP port 68 (client)
4 main DHCP operations: DORA

Answer 74

A

Domain Name System
Application Layer Protocol
Translate Domain Names to IP Addresses
Primarily uses connectionless UDP Transport protocol
UDP port 53 (sometimes can use TCP port 53)
Resolves human‐friendly names to their IP addresses that are actually used for network communication

Answer 75

A

Hypertext Transfer Protocols

Application Layer Protocols

Answer 76

A

Application Layer Protocols
File Transfer Protocol (FTP)
Server Message Block (SMB)

Answer 77

A

Application Layer Protocols
Simple Mail Transfer Protocol (SMTP),
Internet Message Access Protocol (IMAP)
Post Office Protocol (POP)

Answer 78

A

Application Layer Protocols
Telnet, Secure Shell (SSH)
Virtual Private Networks (VPNs)
Remote Desktop Protocol (RDP)

Answer 79

A

4 main DHCP operations:

Discovery, Offer, Request, Acknowledge (DORA)

Answer 80

A

DORA
Client sends DHCP Discovery to broadcast address to find the Server
• Server sends DHCP Offer to offer an available IP address
• Client sends DHCP Request to accept the offe, or to suggest a preferred IP
• Server sends DHCP Acknowledgement to allow the Client to start using the IP address

Answer 81

A

A range of IP addresses that a DHCP server is

configured to assign

Answer 82

A

Received by the DHCP client to use the assigned
IP address for a fixed amount of time
• Near end of lease, client sends another DHCP Request
• Unless the IP has been reassigned, the server will grant a new lease (Acknowledge)

Answer 83

A

IP addresses in a DHCP server’s scope that are reserved for specific machines to use
• Its best to let servers and shared resources always get the same IP address

Answer 84

A

Most DHCP Servers will host a database that contains the current IP address assignments mapped to Client MAC addresses
Also, most DHCP Servers will have a logging option to collect logs of DHCP traffic to/from the Server

Answer 85

A

DHCP Server

Answer 86

A

DHCP Client

Answer 87

A

DNS

Primarily uses connectionless UDP Transport protocol

Answer 88

A

Root > Top level domains (TLDs)(.org .edu .com) > Secondary level domains (Authoritative Name Server)(uco.edu) > Subdomains/hosts (learn.uco.edu)

Answer 89

A

A Records
AAAA Records
MX Records
NS Records
SOA Records
PTR Records

Answer 90

A

DNS Record Type

IPv4 Address record

Answer 91

A

DNS Record Type

AAAA Records

Answer 92

A

DNS Record Type

MX Records

Answer 93

A

DNS Record Type

Name Server record identifies name servers

Answer 94

A

DNS Record Type

Start of Authority record identifies the primary name server

Answer 95

A

DNS Record Type

Pointer record maps IP address to a host name for reverse DNS lookups

Answer 96

A

An org that manages TLDs

• For example, VeriSign manages .com domain names and records

Answer 97

A

An accredited org that sells domain names to
public customers
• For example, GoDaddy

Answer 98

A

The person or company who registers a
domain name with a registrar
• Manage their domain through the registrar who then notifies the
registry to update the database records

Answer 99

A

DNS
• The actual server that hosts the Web service
• This is the IP address mapped to the domain

Answer 100

A

End systems often have a DNS Cache that contains recently resolved domain name and IP address mappings
• Attempts to speed up the process of DNS name resolution
• Bad guys can manipulate this!
• DNS Name Servers will often have a logging feature
• Log DNS requests and responses
• Can be a potential source of evidence

Answer 101

A

Hypertext Transfer Protocol
• Generally uses TCP port 80
• The basis for communication on the World Wide Web
• The protocol used by Web Browsers to access content
(web pages) from Web Servers
• Not secure

Answer 102

A

HTTP is called a “Request/Response” protocol.
A request is sent from a web client (browser) and the target web server sends a response back to the client with the requested content, which the browser is able to display

Answer 103

A

There are several HTTP Methods
• GET request – client requests a resource from the web server
• POST request – pass data from the client to the server

Answer 104

A

A string created by a web client (browser or web crawler) that identifies what browser is being used, what version is being used, and on what operating system it. is running.
Can be spoofed!

Answer 105

A

A HTTP cookie is a piece of data sent from a web sever to a web client
• Web client includes it in subsequent requests

Answer 106

A

Used for 3 main purposes:
• Session management
• Personalization and user preferences
• Tracking

Answer 107

A

Two main categories of cookies:
• Session – removed from client system when session ends
• Persistent – stays on client until expiration time

Answer 108

A

Tell us “what happened” on the servers end upon receiving the request
• Include a short error message
Server String (Think User Agent String for servers)

Answer 109

A

Secure extension of HTTP
Functions the same as HTTP
But includes encryption
TCP port 443

Answer 110

A

Transport Layer Security (TLS) and its predecessor

Secure Sockets Layer (SSL) are cryptographic protocols to secure communications via encryption

Answer 111

A

Transport Layer Security

Cryptographic protocols to secure communications via encryption

Answer 112

A

Secure Sockets Layer

Cryptographic protocols to secure communications via encryption

Answer 113

A

File Transfer Protocol (FTP)
• Protocol for directory listings and file transfers
• TCP port 20/21

Answer 114

A

File Transfer Protocol (FTP)

Answer 115

A

Server Message Block (SMB)
• Microsoft proprietary
• Used for access to shared resources including files
• TCP port 445

Answer 116

A

Server Message Block (SMB)

Answer 117

A

Post Office Protocol version 3 (POP3)
• Mail retrieval protocol
• Download emails from remote server to local client
• Original copy on mail server is usually lost
• TCP port 110

Answer 118

A

Post Office Protocol version 3 (POP3)

Answer 119

A

Internet Message Access Protocol (IMAP)
• Mail retrieval protocol
• Copy emails from remote server to local client
• Original copy maintained on mail server
• TCP port 143

Answer 120

A

Internet Message Access Protocol (IMAP)

Answer 121

A

Simple Mail Transfer Protocol (SMTP)
• Mail sending protocol
• Email sent from client through relay mail servers to recipient
• TCP port 25

Answer 122

A

Simple Mail Transfer Protocol (SMTP)

Answer 123

A

Remote Access Protocol
• Protocol for accessing virtual terminal with remote system
• Insecure = everything sent in plaintext
• TCP port 23

Answer 124

A

Secure Shell (SSH)
• Remote Access Protocol
• Creates a secure channel over an insecure network via encryption
• Commonly used for secure remote terminal access
• Also used to secure other network services within the channel
• TCP port 22

Answer 125

A

Secure Shell (SSH)

Answer 126

A

Remote Desktop Protocol (RDP)
• Microsoft proprietary
• Provides remote GUI to RDP client of RDP server system
• TCP/UDP port 3389

Answer 127

A

Remote Desktop Protocol (RDP)

Answer 128

A

Describes the way information flows through the network

Answer 129

A

Shows actual physical arrangement of network components

* Often mapped on an actual floorplan

Answer 130

A

Process that waits for a request from a client and

responds to it

Answer 131

A

Process that sends a request to a server and

(usually) waits for the response

Answer 132

A

An internet is a network that is publicly accessible

• Most commonly through THE Internet

Answer 133

A

An intranet is a network that is not publicly accessible
• Privately accessible only
• May still be accessed externally through remote access protocols and authentication protocols (extranet)

Answer 134

A

Demilitarized zone (DMZ) is a segment of a private network that is publicly accessible
• Located outside the firewall
• Contains services that we want publicly accessible
• Protects services that we don’t want publicly accessible

Answer 135

A

Denial‐of‐Service
Reconnaissance
Vulnerability
Man‐in‐the‐Middle
Access
Social Engineering
Insider Threat
Web Application
Wireless
Malware

Answer 136

A

A Denial‐of‐Service (DoS) attack has one single goal
Make a networked service or resource unavailable
Two basic types:
Most common, flood bandwidth with junk traffic
Exploit bug/weakness to cause service to hang/freeze
Very “noisy” attack type

Answer 137

A

Distributed DoS (DDoS)
Amplification Attacks
SYN Flood
UDP Flood
Malformed Packets

Answer 138

A

Distributed DoS (DDoS), the attack originates from many
different sources
• Typically via a botnet
• Bots are themselves victim systems
• Infected with malware

Answer 139

A

A Command‐and‐Control (C2) server is used to issue
commands and activate the malware to flood a victim with incoming requests
• DDoS‐as‐a‐Service (DDoSaaS) with “booters” and “stressers”

Answer 140

A

DDoS attacks are very noisy and easy to identify
• Massive amount of incoming traffic to a service
• Difficult to prevent/stop• Difficult to investigate for attribution - attacker’s true ID is hidden behind the C2 server and the bots

Answer 141

A

Forging a piece of information

• Goal = To disguise the attacker’s identity

Answer 142

A

Instead of using a botnet, a DoS can be achieved by using a carefully crafted packet(s) that generates multiple (or large) responses
• Known as amplification attack
• Also known as distributed reflective DoS (DRDoS)
• First example Smurf Attack

Answer 143

A

Send a ICMP Echo Request to the broadcast address of a network
ICMP Request has a spoofed source IP of the victim
Every node on the network sends ICMP Response to victim

Answer 144

A

More modern example uses DNS
Send DNS Request to multiple DNS Name Servers
Request all records associated with DNS
DNS Request has a spoofed source IP of the victim
The “small” requests generate “large” responses sent to victim

Answer 145

A

SYN Flood DoS
• Attacker sends SYNs to Server
• Spoofed IPs as source
• Server sends SYN‐ACKs to spoofed sources
• They don’t reply
• Server will wait for response(s)
• Until a timeout
• If a system’s resources are all “binded” to “half‐open connections”, then any real request won’t be able to be established

Answer 146

A

Attacker sends many UDP packets to random ports on a host
Spoof the source IP so ICMP Host Unreachables are sent elsewhere
Eats up victim’s resources

Answer 147

A

There are some ways to “break” protocols to force a target service to crash or hang
Ping of Death
Teardrop Attack
LAND Attack

Answer 148

A

• Attacker sends ICMP Echo Request (“Ping”) to Victim
• Packet is constructed larger than the max allowable size
• Send to destination in fragments
• Victim attempts to reconstruct the ICMP packet but it overflows
the buffer
• System freezes/crashes
• No longer works

Answer 149

A

Takes advantage of early OS not capable of handling malformed IP fragmentation
Unable to reassemble the IP packet due to missing fragments or overlapping fragments
OS would “hang”
No longer works

Answer 150

A

Local Area Network Denial (LAND) Attack
• Send SYN to Server with the Server’s own IP as source
• It responds to itself over and over again
• No longer works

Answer 151

A

The goal of a reconnaissance attack is to learn about a potential target.
Passive or Active

Answer 152

A

Browsing through a corporation’s website
Browsing a corporation’s social media feed
Using search engines as weapons

Answer 153

A

Port Scanning

* OS Fingerprinting

Answer 154

A

Attempts to determine what services are listening on a target
Services an attacker may be able to exploit
Basic Concept = Send a series of messages to several different destination ports on the target and see what response you get

Answer 155

A

Method of Port Scanning.
Send TCP SYN to target ports
Just ONE method of port scanning (there are others)
Both noisy and stealthy attack
Stealthy in logs – won’t log the not established TCP sessions
Noisy in network traffic captures – series of packets with same source and many different destination ports

Answer 156

A

Attempts to determine the OS of a potential target
Examine fields within packets sent from a target
Passive or Active

Answer 157

A

Sniff the outgoing traffic for OS indicators

Answer 158

A

Send traffic to target to elicit responses to check for OS indicators

Answer 159

A

Attackers can exploit vulnerabilities in application or OS code
Take advantage of security flaw in coding
Use to execute attacker code on victim system
Goal to gain access to the system
MANY possible attacks on vulnerabilities
Buffer overflow = gold standard (still works today)

Answer 160

A

• When a program is expecting some kind of input or data it creates a buffer in memory to store the data.
An attacker can provide the program more data than the
buffer has room to hold
• Causes nearby data in memory to be overwritten
• Goal = overwrite return address on memory stack
• Return address points to the location in memory of next instruction to execute
• Overwrite it to point to address of implanted malicious code

Answer 161

A

• Man‐in‐the‐Middle (MITM) Attacks are communications
eavesdropping attacks
• Passive – simple eavesdropping for information
• Active – intercept/modify communications, pose as both parties
• The goal is for the attacker to position themselves in the communication stream between a client and server

Answer 162

A

ARP/DNS Poisoning

* Session Hijacking

Answer 163

A

Attacker can compromise routing and name‐resolution systems to position themselves before the communication is initiated
Tools exist that allow a malicious actor to send ARP replies to hosts on the network
Bad guy can respond to specific ARP request it sees
Bad guy can also send gratuitous ARP reply (= no original request) to everyone on the network
Goal is to get a host (or hosts) on physical network to cache the attacker’s MAC address as the location of a real IP address
Send traffic to attacker instead

Answer 164

A

Attacker can take over an already existing communication session
If criminal gets it, can act as you for the duration of the session cookie’s lifespan
HTTP = EASY just sniff the HTTP traffic and grab it
HTTPS = Trickier (encrypted!)

Answer 165

A

Similar to ARP Cache poisoning
Goal is to get target to go to attacker website instead of real one by poisoning the DNS cache (in both client and local name server)
Send DNS Response to local DNS server to get the server to tell client(s) that the website is located somewhere it isn’t

Answer 166

A

Password Attacks
Phishing
Social Engineering

Answer 167

A

Include brute force attacks, dictionary attacks, rainbow tables

Answer 168

A

Get user to give you their credentials by masquerading as something/someone trustworthy
Often delivered via spam
Spear Phishing = Targeted! Whaling = EXTRA Targeted!

Answer 169

A

Example: 2‐Factor SMS SIM Swap Attack.
PEOPLE are still the greatest weakness of security mechanisms
Goal is to convince a victim/victim service provider to just give you information/access.

Answer 170

A

Remote Access Trojan (RAT)
Creates Backdoor
Spam/Phishing
Watering Hole Attack

Answer 171

A

Typically the malware, when executed, will create a listening socket on the victim system that provides reverse shell access
Attacker can then send traffic to listening port and gain the shell
Provides remote access without authentication

Answer 172

A

Build rapport
Illicit sympathy
Intimidation
Temptation
Timeliness of attack

Answer 173

A

Insider threats are not only a reference to an attack from a privileged employee…
Also refers to an attack originating from within the network
Companies often protect from the outside but not inside.

Answer 174

A

• A very common attack vector today is to attack web
applications themselves
• Include both attacking the server‐side application and the client‐side web browser

Answer 175

A

The application listening on the web server

* Uses HTTP to interact with client web browser

Answer 176

A

Many web applications utilize back‐end databases to store data such as usernames/passwords, credit card info, inventory, etc.
Users enter data.
Attacker enters unexpected data into web application to trick it into giving out information.

Answer 177

A

An attacker finds a vulnerable Web App server
Attacker inputs OS Command into Web App
The Web App will execute the command

Answer 178

A

HTTP Request would contain the command to execute

* HTTP Reply would contain the result of the command execution

Answer 179

A

Cross‐Site Scripting (XSS).
• Attackers find a web server with a XSS vulnerability
• Any Web App that takes user data, stores it, then displays it back to other users is vulnerable
• Attack involves inputting Javascript into the Web App
• Any user who accesses the content will execute the Javascript
• Two types: Reflected or Stored

Answer 180

A

Reflected – The Javascript is embedded in a URL link and executed within their browser when the user clicks on the link

Answer 181

A

The Javascript is directly inserted into the Web App

content/database and executed within the Web App itself when the user accesses it

Answer 182

A

Rogue Access Point
Jamming/Interference
Evil Twin
Sniffing

Answer 183

A

• A person (attacker/employee) connects a WiFi access
point to secure network with poor security
• Provides a weak entry point into the internal
network

Answer 184

A

Transmitting over the same frequency channels as WiFi network can prevent it from being used
Form of WiFi DoS

Answer 185

A

• Creating an insecure WiFi network with SSID (name) of a common or trusted network

Answer 186

A

• Insecure WiFi traffic susceptible to sniffing on the frequency within range

Answer 187

A

WiFi traffic is inherently dangerous

* We protect WiFi by using authentication and encryption

Answer 188

A

All broken, butWiFi data can still be secured via VPNs and use of SSL/TLS.

Answer 189

A

Malicious software.

Includes Worms, Trojans, Rootkit, C2, Backdoor, and Keylogger.

Answer 190

A

Self‐replicating malware (infects other network hosts)

Answer 191

A

Disguised malware (looks innocent)

Answer 192

A

Provides root access (admin/OS privileged)

Answer 193

A

Records computer keystrokes

Answer 194

A

Used to study and analyze the actions of advanced persistent threat (APT) actors
Basic premise:
A network intrusion involves a series of actions by a threat actor to achieve their final goal
In understanding each step of their actions, we can better secure ourselves against their methods

Answer 195

A

Advanced Persistent Threat (APT) actors

Answer 196

A

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command &amp; Control
Exfiltration

Answer 197

A

Learning about the target
Finding vulnerabilities
Includes harvesting emails, org charts, clients, etc.

Answer 198

A

The creation of the malware payload for the specific target
Usually takes advantage of a vulnerability exploit from Recon
Usually incorporates a backdoor setup

Answer 199

A

How to get the malware payload to the target

* Typically via spam, malicious websites, or malicious storage media

Answer 200

A

Malicious payload targets vulnerability in application or OS
Goal is to gain the proper access to the system/network

Answer 201

A

• Installation and setup of RAT or backdoor to the system/network to maintain attacker persistence

Answer 202

A

• Attacker maintains channel to compromised system where they send commands and receive feedback from those commands

Answer 203

A

• The theft (or just viewing) of targeted sensitive information from the network sent to the attacker
• Can sometimes also include infecting the system with
ransomware on the way out the door

Brainscape's Knowledge GenomeTM

Exam 1 Flashcards

Brainscape's Knowledge Genome^TM