Professor Mike Meyers Flashcards
(99 cards)
1
Q
What is the PDU called the transport layer?
A
TCP PDU is called TCP segment
UDP PDU is called UDP datagram
2
Q
Is ICMP just one packet?
A
No, it is not just one packet. There is a type field in the packet that will define what this particular ICMP packet is for?
For example this type field might mean host not found.
3
Q
Define main fields of IGMP?
A
It has following ->
Source address + Group address + checksum + type
4
Q
Define IGMP?
A
So when a sever hosting some live video for example and it needs to go to a large number of recipients, it can use a Multicast address. So it will assign a Multicast address to hosts or routers that comes in the way of hosts that want to listen to this live video, a multicast address. This way it can just send a one stream of data instead of sending multiple streams to cover all recipients.
5
Q
What is traceroute and what is its windows equivalent?
A
It is a troubleshooting protocol that tell us the hop by hop patch to reach a remote host from the local host.
Windows equivalent is tracert
In some case if traceroute does not work as it is not allowed by some routers, we can use “ pathping “ command as it uses a different protocol.
When the things are running great, use the traceroute command so that you can get familiar with it.
6
Q
What is one of the things that you should check if you are not getting right speed from ISP?
A
Look for cheap routers
7
Q
Learn wireshark
A
I will
8
Q
Name of the packet capturing tool that we can use in linux from command prompt?
A
tcpdump - it will start capturing the frames and we can save these into some file and then use some analyzer like wireshark to analyze the frames.
9
Q
What is netstat command used for?
A
It is a command that we can use to list all the open ports and connections on our system.
It has no of different options.
10
Q
Define some popular netstat options.
A
netstat -n This will give us the raw numbers like destination IP addresses instead of names.
netstat -b It will tell us the executable as well linked to a connection
netstat -o It will give us the process ID as well that we can use to find the associated applications in Task manager
netstat -nbo
netstat -a It shows all the active ports
11
Q
What is netstat -r used for?
A
We can also use this to see the routing table in windows
12
Q
If we need to check if some device is running a web server, how do we check that?
A
We use
netstat -a command and see if it is listening on port 80 or 443
13
Q
What are the 2 common kind of web servers out there in the world?
A
One are Microsoft servers - Microsoft IIS ( internet information service )
Another is Apache ( open source )
14
Q
What does FTP server listens on?
A
It listens on port no 21
And send the data back to clients on port 20
15
Q
If we want people to connect to our FTP SRVER to download some files, without requiring to enter any USER NAME / PASSWORD, what kind of account do we need to create on FTP SERVER?
A
We can create ANONYMOUS account with no password
16
Q
Can Inter Explorer acts as a FTP server and how?
A
Yes, we can type
ftp://202.13.212.104
17
Q
Does windows have in-built ftp client?
A
We can use command prompt as ftp client.
Just type -> ftp serverName/ip address
Once connected, we can use GET command for file downloads and PUT command for file uploads.
18
Q
What are the different modes that AP can work in?
A
- Repeater - it will just repeat the signal from the AP. Normally these repeaters have 2 set of transmitters and receivers. One set of transmitter and receiver is used to get the signal from AP and the other one is used to retransmit the signal. So this way there is no interference.
- Workgroup bridge - in this mode, it can act as wireless NIC for a wired client that does not have wireless capability. So WGB will work on the same frequency as the AP.
- Outdoor bridge - this used to connect 2 or more different buildings or cities that are apart by a large distance.
- Mesh network - it can also work in a Mesh topology.
19
Q
Give an example of Cloud-based AP Architecture?
A
Cisco Meraki is a cloud based and offers centralized management of wireless, switched, and security networks built from Meraki products.
20
Q
What is Split-Mac architecture terminology in ACCESS POINTS?
A
In split-mac, duties are divided between WLC (wireless controller) and the light weight APs.
Activities performed by AP is divided into 2 groups -> management functions and real time processes.
21
Q
What are the management functions in Split -MAC AP architecture?
A
RF management, authentication, security management, QOS, Association and roaming management
22
Q
What are the real time functions in AP?
A
RF transmit/receive
MAC management,
Encryption
23
Q
How the WLC and AP talk to each other?
A
Using CAPWAP - Control and provisioning of wireless access point
24
Q
What are the 2 kind of messages that travel in CAPWAP tunnels?
A
- CAPWAP control messages - these are the messages that travel between LWAP and WLC for controlling light weight APs. These messages are authenticated and encrypted so the AP is securely controlled by the appropriate WLC.
- CAPWAP data - this is used for packets travelling to and from wireless clients that are associated with AP. Data packets are transported over the data tunnel but are not encrypted by default. When the data encryption is enabled for AP, packets are protected with the Datagram Transport Layer Security (DTLS)
25
In an enterprize WLAN, how is it ensured that no unauthorized AP connect to your network?
Every AP and WLC must also authenticate each other with digital certificates. An x.509 certificate is preinstalled in each device when it is purchased. By using certificates behind the scenes, every device is properly authenticated before becoming part of the wireless network. This process helps assure that one one add an an authorized AP to your network.
26
How can we use a browser as FTP server?
By default, they act as web browsers.
So we type ftp://202.13.212.104
27
Can our command prompt also act as file server?
Yes it can. We just type
ftp server_address
“get” command downloads the stuff and “ put” command uploads the stuff
28
What port number IMAP uses?
It uses port number 143
29
What protocol helps with encrypting emails and what port does it use?
The STARTTLS extension uses only one port (587) for encryption communication.
30
What was the traditional TLS terminology in securing email protocols?
So when the emails were secured for the first time, they used TSL in such a way in clients that first clients connected to email servers using olds ports like SMTP 25, IMAP 143 and then it switched to secure TLS encrypted session.
So attackers could monitor and see some data.
Then as a solution came the STARTTLS that encrypted the email data from the beginning. It used just one port number for all protocols (IMAP, pop, SMTP) which was 465.
And then STARTTLS start happening on port number 587
31
For network+ exam, there was rlogin client as well which ran on port 513
It has been replaced by SSH.
32
What are IPAM ( IP ADDRESS MANAGEMENT ) tools?
IPAM tool tracks and manage allotted IP addresses, keeping address requirement available for server and VM farms.
33
Define main 3 kinds of access controls.
MAC - Mandatory Access Control - in this one, the actual resource was labeled like too secret, and based on this label we had access to it or not. These is a oldy thing.
Then cane the this one -
DAC - Discretionary Access Control - in this one, resources were given tags like this one is owner of this file and this can only read file. Better than MAC
THEN ->
Role-Based Access Control - RBAC - in this one, permissions are given to groups like Sales, or accounting group (based on the role)
34
What does a RADIUS setup look like?
RADIUS - Remote authentication dial-in user service
RADIUS Supplicant——-R client——R server
RADIUS client cane be a wireless router but not the actual device that provides user name / password or some other means of authentication.
It’s not necessary for RADIUS server to have all the user name / password database. Fot example - in a enterprise environment, it can check the user name password with the database in ACTIVE DIRECTORY
It uses UDP Connection
35
What port number is used by TACACS+
TCP 49
36
What is the common use of Kerbros?
It provides authentication service in Local Area Networks.
37
Define kerberos.
Kerberos is setup in windows server who can act as a KDC - key distribution centre
KDC consists of 2 services - 1st is authentication service and 2nd is TGS (Ticket granting service)
Here is how it works -
A client sends a hash of user name and password to the KDC / Kerberos server and KDC authenticates it and sends back a TGT (Ticket granting Ticket). Then TGT is time stamped and sent back to the server for authorization.
Then a Token ( time stamped one) is sent back to the client and it kind of usually stays active of 8 hours.
38
Define EAP. Extensible authentication protocol.
It is a kind of authentication protocol in which server can ask client what kind of authentication client supports and then use that authentication.
Different authentication methods that it can negotiate from are following-
- EAP PSK ( pre shared key)
- PEAP (protected extensible authentication protocol) - uses user name and password
- EAP MD5 - uses hash
- EAP TLS - it can use certificates in which certificates come from the server side and passed down to clients.
39
Where EAP is mostly used?
It is used in wireless networks. Kerberos dominates over wired networking authentication.
40
What do we use for single sign on for local area networks?
Active directory
41
What SAML ( Security assertion Markup Language) is used for?
It is used to manage multiple apps using a single account.
SSOcircle provides a variety of service provider (SP) samples.
In SAML concept, there is Identity provider and the service provider.
42
Security Trust questions - when a public key is shared by some server, how do we know where it came from ( if it actually came from this server ) and if that is the entity who it claims to be?
We use signed certificates. Like x.509 certificate.
43
What is a digital signature in certificates?
It is nothing more than a hash. It is a mechanism by which we can verify that a public key came from the server that has the associated private key.
So how is it verified?
Let’s take an example of web server connection.
So the server will encrypt the website that we are visiting/ connected to, with its private key and make a hash of it and will send it to the host with its public key.
Host on the other end will also make a hash of the web page using the public key and then compare the hash it created with the hash shared by the web server. If it matches, then host knows that public key came from the server that has the associated private key.
44
Digital certificates - how do they verify that some public key came from the legit source?
Here comes the involvement of 3rd party CA who both parties trust.
So let’s say i am the server. I will get an singed certificate from CA who will vouch for me. So basically in this certificate ( when is a kind of envelope), i will have my own digital signature and the CA’s signature and my public key. Every time anyone connects to me, i will pass on this certificate to them.
This way i can let know hosts that i am a trustworthy site.
45
What are unsigned certificates?
When there is no 3rd party like CA, vouching for me.
They work fine internally in the local area network as no intruder has access to it.
46
What is PKI - public key infrastructure?
It is a hierarchy of certificate authorities that issues certificates.
47
What technologies in a browser do we take the help of to verify if some certificate is valid?
CRL and OCSP
48
Note - a Self Signed Certificate can throw a 443 error as the certificate has not been issued by a certificate authority.
49
In simplest form, what does a VPN do?
It will encapsulate private addressing ( LAN IP) within internet public IP. Kind of it creates a Tunnel.
Note - it may not be encrypted.
50
What does port bonding do?
It links switch-ports to increase bandwidth.
Uses LACP (Link Aggregation Control Protocol)
51
What is the port mirroring command on Cisco IOS?
Monitor session 1 source int fa24
monitor session 1 destination int fa23
52
What is the role of IPS, IDS and Firewall in respect to each other?
Firewall - filters traffic
IDS - monitors traffic and notifies
IPS - acts to stop
53
What is the role of forward proxies?
It connects on the client side and hides them. So clients are aware of the proxies.
It can act as a dedicated box or a software.
- provides caching
- provides content filtering
- acts as Firewall
Also note - proxies are application-specific. Depending on the type of application, there are different types of proxies.
- web proxy
- FTP proxy
- VoIP proxy
54
What is the concept of a TOR network/ proxy?
With TOR network concept, a client can hide themselves so that they are not trackable back to them.
So the client connection will go through bunch of computers in TOR network.
55
What is a reverse proxy server?
These proxies protects servers from evil people.
- provide security protection like protection from Denial of Service
- provides caching
- provides load balancing
- handles encryption/ decryption
56
What is the old fashion of doing load balancing?
It is done using DNS.
1st way is the Round Robin via DNS. Let’s say we have 3 server that needs to be load balanced. In their authoritative DNS SERVER, we will have 3 look up records to these 3 servers and as the the connection requests come in, this DNS server will give the address of the 1st server and then 2nd and so on.
2nd way is in which DNS uses reverse look up zones. By using reverse look up zone, DNS will find out which server is closest to it ( as the servers can be in different continents) and then provides its IP ADDRESS for connection.
57
What is server side load balancing?
These are physically present on the site. It can query the individual servers and can know which is not busy.
- can also provide encryption/ decryption yet
58
Define DMZ?
Demilitarized zone.
DMZs are used to protect public-facing servers by creating an isolated area for those devices.
2 firewalls are used in a DMZ : one allowing unsolicited traffic to the public service and the 2nd maintaining isolation of the private network.
59
To what types, DoS attacks can be broken down into?
Volumetric attacks - it can be a continuous PING flood.
Application attacks - one that are attacked at a particular application. For example - Slow Loris attack that happens in Apache server.
Protocol attacks - one that is for a particular protocol. For example- SYN flood / TCP SYN attack.
60
Give me an example of amplification attack
Smurf attack - in this one, attacker will spoof the Ip address of its target and will send a IP broadcast in the network so that it make the server to receive frames from all the nodes in that network.
61
What is a DDOS - distributed denial of service attack?
In this attack, a bunch of computers attack a single target.
The attacker loads some type of malware called botnet, into the other devices called Zombie devices, and make them contact the target machine in some way.
62
What is virus?
A virus is something that will get on to our computers from floppy drive or thumb drive and attach it to the OS files.
What does it do?
I will propagate to the connected devices and it will activate. ( for example, it might delete the OS FILES)
63
What is Adware?
It is a type of Malware which will pop up ads on some website.
64
What is spyware?
It is a type of malware.l which hides itself from the system and will phone home in some way.
It might be sending monitored data or might be sending cookies etc
65
What is Trojan malware?
It is a piece of software that will not propagate on its own.
For example- Remote access Trojans (RATs) -
It doesn’t do anything until someone from home connects to this Trojan malware and bad things start happening.
66
What is Ransomware?
In its basic form, it encrypts someone’s data and will ask for ransom to decrypt it
67
What is a logic bomb malware?
It is kind of similar to Trojan in the way that it does not propagate and needs to be activated.
Though its not like it is remotely accessed and then activated.
It gets activated when some event take place. For example - when some account is deactivated.
68
What is rootkit and backdoor Malware?
Rootkit is a software that escalates privileges to execute other things on a computer.
For example- Sony rootkit
These are notorious to detect.
Backdoor -it is a piece of software that will let someone to intentionally access some software from some backdoor.
69
What are the different aspects of a Malware and what they can be?
It can be armored virus, polymorphic ( it changes some of its code )
It can also be a keylogger to get passwords etc.
70
Define the stateless and state-full Firewalls?
Stateless fireless - we just turn them on without much configuration.
Stateful- it will look at every packet and will decide whether it should let it go or not. It involves a lot of configuration.
Stateful firewall make a database of all active connections that are going between a client and the server. Some some packet is a part of active connection, firewall does not compare this packet with each ACLs. It just allows in the packet as it is a part of the active connection.
71
What program in Linux we can use to spoof addresses?
Ettercap - it can act as a spoofer. It can also grab the data from the network and provide us the information that we want.
Ettercap creates a lot of noise on the network that is easily detected by an good IDS / IPS.
We can do DHCP SPOOFING, ARP spoofing, DNS poisoning etc all from a single program.
72
Give me examples of some Man in the middle attacks.
Url highjaking or Typosquatting
Domain Highjacking -when someone forgets to renew their lease of public domain and someone else buys it.
Replay attacks -
Downgrade attack - in which encryption is lowered.
Session highjacking - it is quite difficult as it has to be done in real time. There is simple one as well - Firesheep
73
What are unified threat management devices (UTM)?
These are the ones who acts as a lot of things like firewall, proxy server, VPN endpoint, etc
74
What does the stateless firewalls filter the packets based on?
It filters packets based on ports and IP Addresses. It does not look at the data deep enough.
So it does not track the state of conversations.
75
What are statefull firewalls?
These are also known as context-and application- aware firewalls that filter traffic based on the content of the packets.
These does the deep packet inspection (DPI)
76
What are some security hardening methods?
Creating user accounts, change the default ADMIN user name / password
Assigning right based on roles,
Update the firmware of devices like camera, switches
Stop the traffic on open ports that are not used
Shut down the physical ports that are not used.
Do the key / signature / certificate management on devices so we can do an back up of them
We can do the vulnerability assessment in which we have some level of access to the network
Going to next level, we can also ask someone to do the penetration testing
77
What are 3 types of physical controls?
Deterrent,
Preventative,
Detective
Learn to identify what falls under all of these types and how to improve these physical controls.
78
Give me an example of one thing that we normally check while testing network security.
We look for unwanted open ports.
Ports can be opened by a installed new software, firmware update on the router, or by mistake while doing some configuration on the managed devices.
79
Give me an example of Network Vulnerability applications.
And what does it do.
These applications can look for vulnerabilities in our network. For example - it can look for the open ports in our network or it can also show us the services running on some particular server or can show us the network topology and can find us the devices that we didn’t know of.
Example - NESUS and NMAP ( it is free and i will play with this)
80
What are Honeypot and Honeynet?
These are the applications that can mimic some server so they pretend to be some server for baiting for attackers so that we can monitor the attackers activity.
There are some free ones as well.
81
What is the first thing we need to check in scenarios where something is not able to get to something.
Look for blocked TCP / UDP ports
82
What are the 3 aspects of securing data?
Authentication, encryption, MIC - Message integrity check
83
What is involved in 802.1x authentication standard?
It can involve a number of authentication protocols to be used for authentication. While using it, one can use an authenticated protocol from a number of protocols.
EAP can integrate with this 802.1x standard.
It involves Supplicant, Authenticator, authentication server (AS)
84
What are the different EAP authentication methods that are used?
1. LEAP - light weight extensible authentication protocol- NO LONGER USED
2. EAP - FAST (flexible authentication by secure Tunneling
3. PEAP - Protected Extensible Authentication protocol- in this one, AS ( authentication server) authenticates itself to the supplicant using a certificate. Once authenticated, a TLS TUNNEL is created between Supplicant and AS. And then client / supplicant is authenticated through the TLS TUNNEL.
For client authentication, it can either use MSCHAPv2 or GTC ( generic token card)
4. EAP - TLS
85
What are common Wireless Privacy and Integrity Methods?
1. TKIP - Temporal key Integrity Protocol - no longer used
2. CCMP - it uses AES ENCRYPTION and one MIC. Used in WPA2
3. GCMP - uses AES. And for MIC - it uses Galois Message authentication code (GMAC) used as a message integrity check.
Used in WPA3
86
Define WPA ( wireless protected access), WPA1, WPA2
WPA - uses 802.1x authentication, TKIP
WPA2 - uses AES CCMP Algorithms
WPA3 - uses AES with GCMP
All WPAs support 2 client authentication modes : a pre-shared key or 802.1x based on the scale of deployment.
These are known as personal mode and enterprise mode
87
What is Ping of death?
It is a Denial Of Service Attack. In this attack, a large number of Ping responses are sent to a victims address which results in Victim host being unresponsive, hanging
88
Describe the attack in which gateway becomes unreachable?
The attack happens like this -
1. The attacker will send a TCP message acting as a destination host to a target host.
2. While the target hosts response is on its way, the attacker will send a route redirect message spoofing a primary gateway, to the target host.
3. This way, the target host will change its gateway from primary to secondary that is under attackers control.
4. From this point on, attacker will be man-in-the-middle. All the traffic from target host will start travelling from the secondary host where attacker can see all the data
89
What is DDOS - Distributed Denial of Service Attack?
In DDOS, the attack on a particular host comes from different source hosts.
In DDOS, the attacker deploys Bots that are malicious programs, on different computers. Then the attacker will control them using Command And Control server.
Example of such attack is Denial of Service using DNS and NTP
90
What is permanent Dial of Service and give its one example.
One example of Permanent Denial Of service is PDoS - Phlashing Denial of Service.
In PDoS, the victim devices firmware is damaged / corrupted in such a way that device can't be repaired. I will need to be replaced.
91
Describe Smurf attack.
In Smurf attack, the attacked will spoof victims IP address and will send a broadcast ping in the network. Doing so causes the every host in the network to flood victim host with ICMP ping replies.
92
What is SYN flood attack.
In SYN flood attack, the attacker will send multiple SYN request to an server which will cause the server to reserve some storage in its memory for the new connection until server memory is fully exhausted with these SYN requests. At this point, the server can't take any more requests (even that are legitimate ones)
93
Describe reflective amplified attacked that are performed using DNS and NTP.
DoS attacks using DNS -> in this one, attacker deploys Bots and attacker make these bots to spoof the IP address of victim and send some small 8 byte DNS request to DNS servers. Doing so cause the DNS servers to flood large amount of information to the victim address
DoS attack using NTP -> in this one, the attacker spoofs the IP address of target and sends "monlist" command to NTP servers. Doing so cause the NTP servers to reply to target with information of last 600 hosts who have contacted the NTP server. It only occurred in old version of NTP servers
94
What is ARP cache poisoning?
It is a kind of Man-In-The-Middle attack. In this one, ARP cache on the switch is poisoned and traffic starts travelling through the attacker device.
95
Give me an example of protocol abuse.
Protocol abuse is done on those applications that are used almost in every network. For example - DNS and ICMP
One example of DNS protocol abuse -
Let's say that the attacker managed to get inside the network and has again admin rights as well. To maintain such access for the later time, attacker has 2 options First is he/she can install a backdoor on the victim device but most of the time outgoing or incoming traffic on an unknown port is block by the Firewalls so he/she can go for the 2nd option.
2nd option is that attacker can abuse DNS. So on the victim device, it will install a iodine application which will encapsulate the traffic that attacker want inside DNS packets and these DNS packets will be allowed to travel through the Firewall.
On the other end of this DNS-Iodine connection, the recipient will also have Iodine app installed which will de-encapsulate the traffic and will forward it to the attacker.
96
Define spoofing and its types
Spoofing is the process of faking some one's address.
There is 3 kind of spoofing -
1. First is ARP spoofing
2. Email spoofing - in this one, the From field is changed to hide the sender email address
3. Referrer header spoofing - in this one, the attacker will spoof the Referral header of HTTP packet in a connection request to a server so that It will show such a referral header / page from which access to this server is allowed.
97
Define Session Hijacking and its types.
Sessions hijacking is the process in which attacker will taker over a session with a server once the client has authenticated to the server
There is 3 types of Session Hijacking -
1. Session fixation - in this one, the attacker will send a link to victim with session ID pre-set. So once the target establishes session with the server , the attacker takes over the session
2. Session sidejacking - in this one, the attacker will sniff the packets to get the session cookie or if the attacker has access to the client device, it can try to get the session cookies from its memory.
3. Cross Site scripting - In this one, the attacker will put a malware on the victim device with which it can run some code on the site to steal cookies. This happens after the client has authenticated to the server.
98
What is VLAN hopping?
In VLAN hopping, the frames passing through a switch are double tagged with 802.1Q headers. It is done so that frame enters a VLAN that it is not part of.
99
What is a Virus and define its types.
Virus is a malware type that is activated with user action. For example- opening a infected executable file.
