Networking Equipment

Question 1

7 commonly used protocols for remote management of devices?

Answer 1

• Telnet
• Web based protocols (HTTP, HTTPS)
• SSH
• SNMP
• TFTP
• Cisco Reverse Telnet
• NTP

Question 2

Management Protocols - Telnet?

Answer 2

• Not encrypted, all plain text

Question 3

Management Protocols - Web Based Protocols

Answer 3

HTTP (HyperText Transfer Protocol)
- Not encrypted, all plain text

HTTPS
- Secure, TLS 1.3 is latest version - 1.2 vulnerable

Question 4

Management Protocols - Secure Shell

Answer 4

• Secure, depends on encryption
• can log in with uname and password or without if have the private key

Question 5

Management Protocols - SNMP (Simple Network Management Protocol)

Answer 5

• Used by Network Management Systems (NMS) to monitor network infrastructure
• SNMPv1 is unencrypted
  SNMPv3 (latest) is encrypted

SNMP could leak credentials and other data.
If there is write access - remote code execution is possible

Question 6

Management Protocols - TFTP (Trivial File Transfer Protocol)

Answer 6

• Simple to implement
• No authentication or access control mechanisms

Question 7

Management Protocols - Cisco Reverse Telnet

Answer 7

• Allows the Telnet server to write to a computer terminal or device

Telnet - Network to network
Reverse telnet - network to serial (hardware communication)

Question 8

Management Protocols - NTP (Network Time Protocol)

Answer 8

• Used to synchronise clock between computer systems in a network (UDP port 123)
• Could leak system info, host names of network, etc.

nmap -sU -sV –script “ntp* and (discovery or vuln) and not (dos or brute)” -p 123 <target_ip></target_ip>

Question 9

What would you use for local network traffic analysis?

Answer 9

Wireshark

Raw data can be seen at each different layer:
Frame -> Ethernet -> IPv4 -> Http

This shows hexdumps of data.
Files can be extracted from PCAP files.

Question 10

How to extract HTTP files?

Answer 10

1. Open the .pcap file
2. File -> Export Objects -> HTTP…
3. Choose what you want to save

Question 11

How to extract FTP files?

Answer 11

1. Filter for FTP-DATA packets
2. Right-click -> Follow -> TCP Stream
3. Select RAW as the output type
4. Save the file

Question 12

What is ARP?
Description and Security issues?

Answer 12

Address resolution Protocol (ARP)

Discovers MAC addresses in the network.
No authentication

ARP Spoofing - pretends to be another computer for man in the middle attacks.

Question 13

What is DHCP?
Description and Security issues?

Answer 13

Dynamic Host Configuration Protocol (DHCP)

Automatically assigns IP addresses to new devices in the network.
Commonly found in routers.

No Authentication required, can be used for man-in-the-middle attacks or unauthorised access to resources or DoS

Question 14

What is CDP?
Description and Security issues?

Answer 14

Cisco Discovery Protocol (CDP)

Used to share info about other directly connected Cisco equipment, such as OS version and IP address.

Information leakage

Question 15

What is HSRP?
Description and Security issues?

Answer 15

Hot Standby Router Protocol (HSRP)

Provides redundancy for routers through virtual MAC addresses etc.

DoS, take over active router.

Question 16

What is VRRP?
Description and Security issues?

Answer 16

Virtual Router Redundancy Protocol (RVVP)

Provides redundancy for routers through virtual MAC addresses, but incomplete.

DoS, take over active router

Question 17

What is VTP?
Description and Security issues?

Answer 17

VLAN Trunking Protocol (VTP)

Cisco Protocol
Sends VLAN info to whole of LAN.

VTP-bomb
Network uses config with highest config revision number.
If a new switch is added to a network with correct VTP domain name and password, but the switch has a higher revision number, the whole network will use the VTP info from the new switch, which will overwrite the current config.

Question 18

What is STP?
Description and Security issues?

Answer 18

Spanning Tree Protocol (STP)

Helps network traffic flow with less congestion, saving resources

No security issues

Question 19

What is TACACS+ ?
Description and security issues?

Answer 19

Terminal Access Controller Access Control System Plus

Provides authentication, authorisation and accounting (AAA) services to the network.

No security issues.

Question 20

Enumeration and fingerprinting of
IPSec 500/UDP

Answer 20

nmap -sU -p 500 <target_ip>
ike-scan -M <target_ip></target_ip></target_ip>

Question 21

Enumeration and fingerprinting of
VoIP (Voice over IP)

Answer 21

5060 UDP/TCP unencrypted
5061 UDP/TCP encrypted

Similar to HTTP, request-response model, with use-agent and URIs

Question 22

7 Common request types within SIP

Answer 22

• INVITE - invites an account to join the call
• ACK - confirmation regarding the invite of joining the call
• CANCEL - cancelling a queued call
• REGISTER - registering the user against the SIP server
• OPTIONS - shows the options the caller has
• BYE - ends the call between both sides
• REFER - shows that the receiver needs to communicate through a 3rd party by the info attached to the request

Question 23

6 SIP requests/responses

Answer 23

1xx - informational
2xx - success
3xx - redirection
4xx - failed requests
5xx - web server cannot complete request
6xx - global errors

Question 24

SIP interaction structure (6 steps)

Answer 24

1. Sender initiates an INVITE request
2. Receiver sends back a 100 (trying) response
3. Sender starts ringing by sending a 180 (ringing) response
4. Receiver picks up the phone and a 200 success response is sent (OK)
5. ACK is sent by the initiator
6. Call started using RTP
7. BYE request sent to end the call

Question 25

Wired Equivalent Privacy (WEP)

Answer 25

Deprecated and easily cracked and passwords can be extracted once initialisation vector (IV) are captured.

Standard 64-bit WEP uses a 40 bit key (also known as WEP-40) which is concatenated with a 24-bit IV to form the RC4 key.

Question 26

Temporal Key Integrity Protocol (TKIP)

Answer 26

Replacement for WEP
Early versions not recommended for use
Was rebranded as WPA

TKIP implements a key mixing function that combines the secret root key with the initialisation vector before passing it to the RC4 cipher initialisation

Question 27

Wi-Fi Protected Access WPA/WPA2

Answer 27

If wi-fi password is weak - it’s easy to crack and find the passwords

WPA - 2003 - interim measure for WEP
WPA2 - 2004 - more secure version
WPA3 - 2018 - after security issues raised

Keys are pre-shared

Question 28

Extensible Authentication Protocols (EAP/LEAP/PEAP)
What is EAP?

Answer 28

EAP is an authentication framework used in LANs and dial-up connections.
Used mainly in wireless communication for authentication among clients and wireless LAN.

As a P2P (point-to-point) LAN data communication framework - EAP provides range of authentication mechanisms, such as supporting one-time passwords (OTPs), smart cards, public key encryption authentication and digital certificateds

Question 29

EAP Flow

Answer 29

• Using a transceiver, the client requests a wireless connection
• The transceiver gets client requests a wireless connection
• The authenticator then requests client ID from the transceiver and when it’s received then sends a message to the client requesting client ID
• When verified, the client ID is sent to the server

Question 30

LEAP (Lightweight Extensible Authentication Protocol)

Answer 30

Authentication framework used by WPA, WPA2 and WPA3.
Built by Cisco - but no longer recommended for use by Cisco

Question 31

PEAP (Protected Extensible Authentication Protocol)

Answer 31

Authentication framework used by WPA, WPA2 and WPA3
Similar to EAP-TLS, which is EAP over TLS config for security.
Recommended for use.
Jointly developed by Cisco, Microsoft and RSA Security