Module 24 Technologies and Protocols

Question 1

What port does Syslog servers utilize?

Answer 1

UDP 514

Question 2

Why are NTP and Syslog important?

Answer 2

Syslog is the standard for logging user event messages. Time is just fucking important

Question 3

Why is attacking a syslog server important, from the perspective of an attacker?

Answer 3

Some exploits involve data exfiltration, which takes time. Hackers may attempt to block or destroy log data - in order for Hackers to hide the fact, that exfiltrating is occurring.

Question 4

What port does NTP use?

Answer 4

UDP 123

Question 5

How about DNS?

Answer 5

DNS is now used by malware, some varieties of malware use DNS to communicate with command-and-control (CnC) servers and to exfiltrate data in traffic disguised as DNS queries.

Question 6

Why is HTTP a risk?

Answer 6

All the information carried in HTTP is transmitted in plaintext.

Question 7

What is an iFrame (inline injection) attack

Answer 7

Threat actor compromises a web server and plants malicious code which creates an iFrame on a visited webpage. When the iFrame loads, malware is downloaded.

Question 8

What prevents an iFrame?

Answer 8

Cisco Web Reputation filtering can detect when a website attempts to send content from an untrusted website to the host.

Question 9

What does HTTPS use that is helpful?

Answer 9

After application layer (SSL/TLS) before transport, as the header trailer for the PDU is built

Question 10

What problems does HTTPS present?

Answer 10

Because it is encrypted with SSL - not all devices included decryption and inspection. Privacy issues in opening the traffic.

Question 11

Explain the HTTPS transaction

Answer 11

Client request secure page. Web server sends its public key with its certificate. Client ensures the certificate is up to date, issues by a trusted party and creates a symmetric key which goes to the server. Server decrypts the symmetric key with its private key. Web server THEN uses the symmetric key to encrypt the page and sends it to the client. BOOM

Question 12

Are email protocols dangerous?

Answer 12

SMTP, POP3 and IMAP can be used to spread malware, exfiltrate data or provide channels to CnC servers.

Question 13

How does IMAP and POP3 spread malware?

Answer 13

They are used to download email messages from a mail server to a host.

Question 14

What can ACL’s prevent?

Answer 14

ICMP Abuse, this is interesting, you allow responses (ICMP unreachable, ICMP replies but deny other responses from ICMP)

Question 15

What is the downside with ACLs?

Answer 15

Attackers can determine which IP addresses, protocols and ports are allowed by the ACLs, and spoof a source IP.

Question 16

Why does NAT and PAT complicate matters?

Answer 16

If PAT is in effect, it may be difficult to log the specific inside device that is requesting or receiving traffic.

Question 17

What is inside local, inside global, outside local and outside global

Answer 17

Inside local (client) mapped to inside global.

Question 18

What is Peer-to-Peer networking?

Answer 18

hosts can operate in both client and server roles

Question 19

What are the three types of P2P applications

Answer 19

file sharing, processor sharing and instant messaging

Question 20

Load balancing can be an issue

Answer 20

I guess