ITN 261 - Chapter 9
Which command-line parameter would you use to disable name resolutions in tcpdump? 0. -n 1. -i 2. -r 3. -x
0. -n The -i flag indicates which interface you are going to listen on. The -n flag tells Wireshark to not do name resolution, leaving you with numeric values for the IP address and port number.
What is one downside to running a default tcpdump without any parameters? 0. DNS requests 1. Not enough information 2. Sequence numbers don't show 3. tcpdump won't run without additional parameters
0. DNS requests By default, tcpdump does name resolution. Not only does tcpdump look up port numbers and print their service names, it also triggers a DNS lookup. This DNS lookup is network traffic, which means that for most packets there is probably a DNS lookup request showing in the packet capture.
What would you use sslstrip for? 0. Getting plaintext traffic 1. Removing all SSL requests 2. Converting SSL to TLS 3. Converting TLS to SSL
0. Getting plaintext traffic Sslstrip is used to get plaintext traffic. It does not remove SSL requests, though it may be used to convert an HTTPS request to an HTTP request. It does not convert SSL to TLS or TLS to SSL, and there would be no particular advantage to either of those tasks.
What is the /etc/ettercap/etter.dterm-18ns file used for? 0. Enabling firewall rules for Ettercap 1. Configuring hostnames to IP addresses 2. Setting up mail for Ettercap 3. Disabling ARP spoofing in Ettercap
1. Configuring hostnames to IP addresses The ipchains/iptables command to turn on redirection for Ettercap is done in a different file. In the etter.dns file is the mapping of hostnames to IP addresses as well as other DNS resource records.
Why might you have more endpoints shown at layer 4 than at layer 2? 0. Layer 4 multiplexes layer 2. 1. Systems may initiate multiple connections to the same host. 2. Ports are more numerous than MAC addresses. 3. The IP addresses dictate the endpoints.
1. Systems may initiate multiple connections to the same host. The number of MAC addresses can be smaller than the number of layer 3 addresses because multiple IP addresses could be associated with a single MAC address if the IP addresses are off network; the MAC address for those would be the gateway's MAC address. If a system opens multiple connections to the same system, as may happen when rendering a web page, there would be multiple port combinations for the same IP source and destination.
What does the following line mean? Sequence number: 4361 (relative sequence number) 1. The sequence number shown is not the real sequence number. 2. The sequence number shown has not been incremented. 3. The sequence number shown isn't long enough. 4. The sequence number shown is the acknowledgment number.
1. The sequence number shown is not the real sequence number. Wireshark presents a relative sequence number, which means the initial sequence number as far as Wireshark is concerned in presenting it to you is 1. The relative sequence number increments just as the real sequence number does. The real sequence number, which is a very large value, is hidden to make analysis easier.
What can you say about [TCP Segment Len: 35], as provided by Wireshark? 0. The window size has changed. 1. Wireshark has inferred this information. 2. Wireshark extracted this from one of the headers. 3. Wireshark has additional detail below.
1. Wireshark has inferred this information. Anything you see in Wireshark that is in square brackets [ ] is something Wireshark has calculated or inferred. It is not something that has been extracted directly from the packet capture. Wireshark is helping with the packet analysis.
Why might you have problems with sslstrip? 0. sslstrip is deprecated. 1. sslstrip doesn't work with newer versions of TLS. 2. sslstrip doesn't support TLS. 3. sslstrip only works with Ettercap.
1. sslstrip doesn't work with newer versions of TLS Sslstrip was released in 2009 and took advantage of problems in SSL. These problems not only existed in SSL but also continued through early versions of TLS. Newer versions of TLS don't have the same issues, which means sslstrip won't work with them.
What would you need to do before you could perform a DNS spoof attack? 0. Set up a port span 1. Start up Wireshark 2. ARP spoof 3. Configure sslstrip
2. ARP spoof A DNS spoofing attack requires that the program can see the DNS request in order to respond to it. This means there needs to be an ARP spoof in place so Ettercap (or another tool) can get the traffic on the network to get the DNS request to respond to.
At which protocol layer does the Berkeley Packet Filter operate? 0. Internetwork 1. Transport 2. Data Link 3. Protocol
2. Data Link BPF operates at the Data Link layer. This allows filtering down to the MAC address. If BPF operated at other layers, you wouldn't get the entire set of packet headers.
What program could be used to perform spoofing attacks and also supports plug-ins? 0. arpspoof 1. fragroute 2. Ettercap 3. sslstrip
2. Ettercap (ethernet capture) arpspoof and Ettercap can both be used to perform ARP spoofing. Ettercap also supports other types of spoofing attacks and plug-ins. Sslstrip is a plug-in supported in Ettercap. Fragroute is a program that does something completely different.
What do we call an ARP response without a corresponding ARP request? 0. Is-at response 1. Who-has ARP 2. Gratuitous ARP 3. IP response
2. Gratuitous ARP When an ARP response is sent without a corresponding ARP request, it's an unexpected or unnecessary message. This makes it a gratuitous ARP.
Which functionality in Wireshark will provide you with percentages for every protocol in the packet capture, ordered by protocol layers? 0. Conversations 1. Endpoints 2. Protocol hierarchy 3. Statistics view
2. Protocol hierarchy While conversations and endpoints are statistics you can get from Wireshark, the protocol hierarchy view shows a layered look at all the protocols in the capture, showing percentages for all of the protocols.
What problem does port spanning overcome? 0. Switches don't support layer 3. 1. Switches aggregate ports. 2. Switches filter traffic. 3. Switches are unreliable.
2. Switches filter traffic. Switches filter traffic by only sending traffic destined for the MAC address associated with the port to which the system that owns the MAC address is attached. Switches are reliable. They don't support layer 3 as switches, though there are such things as multilayer switches that include routing functionality. Either way, that's not something that port spanning overcomes. Switches may aggregate ports, but port spanning doesn't have anything to do with that.
Which hardware vendor uses the term SPAN on switches? 1. HP 2. 3COM 3. Cisco 4. Juniper
3. Cisco Different vendors use different terms to refer to port mirroring. Cisco uses the term Switch Port Analyzer (SPAN), which leads to the process sometimes being called port spanning.
If you saw the following command line, what would you be capturing? tcpdump -i eth2 host 192.168.10.5 2. Traffic just from 192.168.10.5 3. Traffic to and from 192.168.10.5 4. Traffic just to 192.168.10.5 5. All traffic other than from 192.168.86.5
3. Traffic to and from 192.168.10.5 The expression host 192.168.10.5 is BPF, indicating that tcpdump should only capture packets to and from 192.168.10.5. If you wanted to only get it to or from, you would need to modify host with src or dest.
Which program would you use if you wanted to only print specific fields from the captured packet? 0. fielddump 1. tcpdump 2. wiredump 3. tshark
3. tshark While tcpdump and tshark can both be used to capture packets, tshark gives you the ability to specify which fields you want to output. The other two options don't exist.
In the following packet, what port is the source port? 20:45:55.272087 IP yazpistachio.lan.62882 > loft.lan.afs3-fileserver: Flags [P.], seq 915235445:915235528, ack 3437317287, win 2048, options [nop,nop,TS val 1310611430 ecr 1794010423], length 83 1. lan 2. fileserver 3. yazpistachio 4. 62882
4. 62882 tcpdump uses the format hostname/IP.port when it prints an address. The addresses go source > destination, so yazpistachio.lan is the hostname and 62882 is the port on the source address.
What protocol is being used in the frame listed in this summary? 719 42.691135 157.240.19.26 192.168.86.26 TCP 1464 443 → 61618 [ACK] Seq=4361 Ack=1276 Win=31232 Len=1398 TSval=3725556941 TSecr=1266252437 [TCP segment of a reassembled PDU] 1. TLS 2. UDP 3. IP 4. TCP
4. TCP After the frame number, time, source IP, and destination IP is the protocol. This frame shows TCP is the protocol in use.
The following shows a time stamp. What does the time of this message reflect? 630 41.897644 192.168.86.210 239.255.255.250 SSDP 750 NOTIFY * HTTP/1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 1. The time since 1970 2. The time of day 3. The time since packet start 4. There is no time in the summary
The time since packet start By default, Wireshark shows a relative time since the start of the packet capture. You can change the field to show absolute time, such as the time of day or the time since 1970 (epoch time). However, that's not what is shown.
