Sniffing and Evasion

Question 1

From a legal standpoint, sniffing is equivalent to:

Answer 1

Wiretapping

Question 2

MAC address

Answer 2

Physical or burned in address of a network interface. 48 bits long, 12 hex characters separated by colons

Question 3

MAC address format

Answer 3

First 3 bytes are the organization unique identifier or NIC manufacturer code. The last 3 bytes are unique within the manufacture code.

Question 4

NIC must run in this mode to sniff all frames

Answer 4

Promiscuous mode. Driver like WINPCAP for Windows systems is required and libpcap for Linux systems.

Question 5

Collision Domain

Answer 5

All the devices sharing any given transport medium.

Question 6

Why switches can restrict sniffing

Answer 6

Switches restrict visibility of network conversations by splitting each port into its own collision domain.

Question 7

Hardware Protocol Analyzers

Answer 7

Fluke, RADCOM, Keysight

Question 8

Which protocol passes everything in clear text?

Answer 8

TFTP as well as SNMP and NTP prior to V3, also IMAP and POP3, HTTP

Question 9

Address Resolution Protocol (ARP)

Answer 9

Maps IP addresses to MAC addresses by sending an ARP_REQUEST. The relevant system will respond with an APR_REPLY and provide its MAC address.

Question 10

Display current ARP cache

Answer 10

ARP -a

Question 11

Delete entries from the ARP cache

Answer 11

ARP -d * or NETSH interface ip delete arpcache

Question 12

Technique of spoofing a MAC address

Answer 12

Sending a gratuitous ARP

Question 13

Unicast

Answer 13

A packet addressed to a single device

Question 14

Multicast

Answer 14

A packet addressed to a group of devices

Question 15

Anycast

Answer 15

A packet addressed to a group, but the nearest device in terms of routing distance opening it.

Question 16

IPV6 Link Local address

Answer 16

FE80 - equivalent to APIPA

Question 17

IPV6 Unique Local address

Answer 17

fc00::/7: Equivalent to private IPV4 addresses

Question 18

IPV6 Global addresses

Answer 18

Equivalent to public IPV4 addresses

Question 19

Lawful Interception

Answer 19

Process of legally intercepting communications between two or more users for surveillance of telecommunications, VOIP and multiservice networks

Question 20

Planning Tool for Resource Integration (PRISM)

Answer 20

US data tool for collecting foreign intelligence

Question 21

Passive sniffing

Answer 21

Plugging in a sniffer and capturing what is seen but limited to a collision domain

Question 22

Active sniffing

Answer 22

Packet injection, port spanning also known as port mirroring to open up other collision domains. Some routers only allow a port to be mirrored for read and not for transmit

Question 23

MAC flooding

Answer 23

Force a switch’s content addressable memory (CAM) table to fill up after which subsequent traffic will be flooded to all ports. Also known as switch port stealing

Question 24

ARP poisoning

Answer 24

Also known as ARP spoofing and gratuitous ARP. Process of maliciously changing an ARP cache on a machine to inject faulty entries,

Question 25

Arp flooding tools

Answer 25

Cain and Abel, WinArpAttacker, Ufasoft, Dsniff (Arpspoof)

Question 26

DHCP Starvation

Answer 26

Exhaust all leased out addresses on a DHCP server. Form of Denial of Service. Tools: yersinia, dhcpstarv Configure DHCP snooping on the DHCP server to mitigate this attack. DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.

Question 27

Rogue DHCP server attack

Answer 27

An attacker sets up his own DHCP server and hands out IP addresses and options to control communications.

Question 28

MAC address spoofing

Answer 28

Some OS/drivers allow you to change it on the NIC, You can also use a tool like SMAC

Question 29

Switch Port Security

Answer 29

Manually assign a MAC address to a port. Network admins can also restrict the number of MAC addresses associated with a port. If more, the port switch will amber out.

Question 30

ICMP Router Discover Protocol (IRDP) spoofing

Answer 30

A hacker sends spoofed IRDP packets to change the gateway.

Question 31

Wireshark filters

Answer 31

!protocol - filter out the protocol http.request - displays all HTTP GET tcp contains string - shows all TCP packets with that string ip.addr= =ip address && tcp.port= = port ip.addr= =ip address or ip.addr= = ip address

Question 32

Wireshark TCP Filters

Answer 32

``` tcp.flags= =0xn where n: 1 = FIN 2 = SYN 4 = RST 8 = PSH 16 =ACK 32 = URG ```

Question 33

Put tcpdump in listening mode

Answer 33

tcpdump -i eth0

Question 34

Tool that can be used to analyze packet captures from tcpdump, WindDump,Wireshark and Etherpeek

Answer 34

tcptrace

Question 35

Intrusion Detection System (IDS)

Answer 35

Hardware and or software devices that examine streams of packets for unusual or malicious behavior sometimes via signature list and sometimes via anomaly (learned behavior) list. A signature based IDS is only as good as the signature list. An anomaly based IDS can produce false positives. Snort is an IDS

Question 36

Libwhisker

Answer 36

A Perl library used for HTTP-related functions including vulnerability scanning and IDS evasion. Used by NIKTO

Question 37

False Negative - from an IDS perspective

Answer 37

Occurs when an IDS reports an intrusion as fine. Worse than a false positive,

Question 38

Host based IDS (HIDS)

Answer 38

Resides on a host and not on the network. HIDS are often signature based, HIDS examples: Tripwire, Cybersafe, Norton Internet Security

Question 39

Host Based Security System (HBSS)

Answer 39

The Host Based Security System (HBSS) is the official name given to the United States Department of Defense (DOD) commercial-off-the-shelf (COTS) suite of software applications used within the DOD to monitor, detect, and defend the DOD computer networks and systems. The Enterprise-wide Information Assurance and computer Network Defense Solutions Steering Group (ESSG) sponsored the acquisition of the HBSS System for use within the DOD Enterprise Network. HBSS is deployed on both the Non-Classified Internet Protocol Routed Network (NIPRNet) and Secret Internet Protocol Routed Network (SIPRNet) networks, with priority given to installing it on the NIPRNet. HBSS is based on McAfee, Inc's ePolicy Orchestrator (ePO) and other McAfee point product security applications such as Host Intrusion Prevention System (HIPS).

Question 40

Network Intrusion Detection System (NIDS)

Answer 40

NIDS sit on the network perimeter and watch traffic coming into and leaving the network.

Question 41

SNORT

Answer 41

Open source IDS, powerful sniffer, traffic logging, and protocol analyzing tool that can detect buffer overflows, port scans, operating system fingerprinting. Rule sets (signatures) are updated often. Snort can run in three different modes: Sniffer Mode, Packet Logger Mode and IDS Mode.

Question 42

IDS will have difficulty detecting malicious activity if:

Answer 42

The traffic is encrypted or obfuscated by decoys,

Question 43

Network Tap

Answer 43

A connection that lets you see all traffic going by it. Place it in the correct location and make sure it is rated for the expected throughput.

Question 44

Snort Configuration file - snort.conf

Answer 44

Resides in /etc/snort on Linux and c:\snort\etc on Windows and contains a list of rule sets to engage at startup.

Question 45

Snort HOME_NET

Answer 45

Variable that defines the local network

Question 46

Snort Rule

Answer 46

Single line in the configuration file and contains an action, a protocol, the rule format direction which could be bidirectional, a source address/port, a destination address/port and message parameters. The Snort rule action can be Alert, Log,or Pass.

Question 47

Firewall

Answer 47

A device that is designed to protect internal resources from unauthorized external access. Firewalls work with both explicit and implicit rules. Also, rule location matters as a match on a rule may end the rule processing.

Question 48

Packet filtering firewalls

Answer 48

Examine the header to make a forward or drop decision

Question 49

Stateful inspection firewalls

Answer 49

Tracks the entire status of a connection. Also known as stateful multilayer inspection. From the Network to the Application layer.

Question 50

Circuit level firewall

Answer 50

Works at the session layer

Question 51

Application level firewall

Answer 51

Works as an application proxy

Question 52

HTTP tunneling

Answer 52

A firewall evasion technique used by hackers to tunnel their traffic over port 80.

Question 53

HTTP beacons

Answer 53

Communicating with Command and Control using http

Question 54

IDS Evasion Techniques

Answer 54

Go slow, deploy decoys and fake attacks to flood, use fragmentation, use Unicode characters

Question 55

IDS Evasion Tools

Answer 55

``` Nessus, ADMmutate, NIDSbench (fragmentation), Inundator (flooding tool), IDS Informer (can use captured traffic to craft an IDS evasion). Packet Generator and PackETH. ```

Question 56

Firewall Discovery and Evasion

Answer 56

ICMP Type 3, Code 13 shows traffic is being filtered by a firewall ICMP Type 3, Code 3 - the client has a port closed Firewall Informer can discover the location of firewalls.

Question 57

Firewalking

Answer 57

``` Determine which ports are open on a firewall. NMAP, Firewalk, CovertTCP, ICMP Shell, 007 Shell ```

Question 58

Honeypot

Answer 58

A system set up as a decoy to entice attackers. Needs to be walled off from other systems.

Question 59

High Interaction Honeypot

Answer 59

Simulates all services and applications designed to be completely compromised. Symantec, Decoy Server, and Honeynets

Question 60

Low Interaction Honeypot

Answer 60

Simulates a limited number of services and will not be completely compromised by design. Specter, Honeyd and KFSensor

Question 61

DHCP Packets

Answer 61

DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK