10.1.17 - Sniffing (Practice Questions)
A security analyst is using tcpdump to capture suspicious traffic detected on port 443 of a server. The analyst wants to capture the entire packet with hexadecimal and ascii output only. Which of the following tcpdump options will achieve this output? -SX port 443 -SA port 443 -SXX port 443 src port 443
-SX port 443
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, You have found one packet. Using the captured information shown, which of the following is the name of the company requesting payment?
ACME, Inc
As part of your penetration test, you are using Ettercap in an attempt to spoof DNS. You have configured the target and have selected the dns_spoof option (see image). To complete the configuration of this test, which of the following MITM options should you select? ARP poisoning Port stealing DHCP spoofing NDP poisoning
ARP poisoning
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the net 192.168.0.0 filter? Only packets with either a source or destination address on the 192.168.0.0 network are captured. Only packets with a source address of 192.168.0.0 are captured. Only packets with a source address on the 192.168.0.0 network are captured. Only packets with a destination address on the 192.168.0.0 network are captured.
Only packets with either a source or destination address on the 192.168.0.0 network are captured.
You have just captured the following packet using Wireshark and the filter shown. Which of the following is the captured password? p@ssw0rd watson watson-p St@y0ut!@
St@y0ut!@
Which of the following actions was performed using the WinDump command line sniffer? Wrote packet capture files from interface 1 into mycap.pcap. Read packet capture files from interface 1 in mycap.pcap file. Requested that hexadecimal strings be included from interface 1 to mycap.pcap. Requested that asci strings are included from interface 1 to mycap.pcap.
Wrote packet capture files from interface 1 into mycap.pcap.
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the account manager's email address?
Using Wireshark filtering, you want to see all traffic except IP address 192.168.142.3. Which of the following is the best command to filter a specific source IP address? ip.src eq 192.168.142.3 ip.src && 192.168.142.3 ip.src ne 192.168.142.3 ip.src == 192.168.142.3
ip.src ne 192.168.142.3 The ne filter stands for not equal. This command will display all traffic not equal to 192.168.142.3. == stands for equal to, && stands for and, and eq is another way to write equal to.
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on the network?
ARP poisoning
As the cybersecurity specialist for your company, you believe a hacker is using ARP poisoning to infiltrate your network. To test your hypothesis, you have used Wireshark to capture packets and then filtered the results. After examining the results, which of the following is your best assessment regarding ARP poisoning? ARP poisoning is occurring, as indicated by the multiple Who Has packets being sent. ARP poisoning is occurring, as indicated by the short time interval between ARP packets. ARP poisoning is occurring, as indicated by the duplicate response IP address. No ARP poisoning is occurring
ARP poisoning is occuring, as indicated by the duplicate response IP address. When using Wireshark to detect ARP poisoning, Wireshark displays a duplicate use of IPs detected. Even without this message, seeing two packets with the same IP address is a good indication that ARP poisoning is taking place on your network.
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the host 192.168.0.34 filter? Only packets with 192.168.0.34 in the destination address are captured. Only packets on the 192.168.0.34 network are captured. Only packets with 192.168.0.34 in either the source or destination address are captured. Only packets with 192.168.0.34 in the source address are captured.
Only packets with 192.168.0.34 in either the source or destination address are captured. Wireshark's host filter lets you only capture where the specified IP address is in either the source or the destination address. The IP address of 192.168.0.34 is a specific address for an individual device. It is not an address for the entire network.
Which of the following are network sniffing tools? WinDump, KFSensor, and Wireshark Ettercap, Ufasoft snif, and Shark Ufasoft snif, TCPDump, and Shark Cain and Abel, Ettercap, and TCPDump
Cain and Abel, Ettercap, and TCPDump
Using sniffers has become one way for an attacker to view and gather network traffic. If an attacker overcomes your defenses and obtains network traffic, which of the following is the best countermeasure for securing the captured network traffic? Use encryption for all sensitive traffic. Implement acceptable use policies. Use intrusion detection countermeasures. Eliminate unnecessary system applications.
Use encryption for all sensitive traffic.
Your network administrator is configuring settings so the switch shuts down a port when the max number of MAC addresses is reached. What is the network administrator taking countermeasures against? Hijacking Spoofing Sniffing Filtering
Sniffing
