Chapter 10 Sniffers, Session Hijacking, and Denial of Service
Using Wireshark filtering, you want to see all traffic except IP address 192.168.142.3. Which of the following is the best command to filter a specific source IP address?
ip.src ne 192.168.142.3
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the account manager's email address?
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the name of the company requesting payment?
ACME, Inc
As part of your penetration test, you are using Ettercap in an attempt to spoof DNS. You have configured the target and have selected the dns_spoof option (see image). To complete the configuration of this test, which of the following MITM options should you select?
ARP poisoning
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on the network?
ARP poisoning
ARP poisoning
ARP poisoning is the process of sending spoofed messages onto a network in an attempt to associate your MAC address with the IP address of another host so the target machine will send frames to your system.
Creating an area of the network where offending traffic is forwarded and dropped is known as _________?
Black hole filtering
Distributed denial-of-service attack
Distributed denial-of-service attacks use numerous computers and internet connections across the globe to overload target systems.
Sniffing
Sniffing is the process of collecting information as it crosses the network.
You are the IT security administrator for a small corporate network. The HR director is concerned that an employee is doing something sneaky on the company's employee portal and has authorized you to hijack his web session so you can investigate. In this lab, your task is to hijack a web session as follows: On IT-Laptop, use Ettercap to sniff traffic between the employee's computer in Office1 and the gateway. Initiate a man-in-the-middle attack to capture the session ID for the employee portal logon. On Office1, log in to the employee portal on rmksupplies.com using Chrome and the following credentials:Username: bjacksonPassword: $uper$ecret1 On IT-Laptop, copy the session ID detected in Ettercap. On Office2, navigate to rmksupplies.com and use the cookie editor plug-in in Chrome to inject the session ID cookie. Verify that you hijacked the session.
On IT-Laptop, open Terminal from the sidebar. At the prompt, type host office1 and press Enter to get the IP address of Office1. Type route and press Enter to get the gateway address. Use Ettercap to sniff traffic between Office1 and the gateway as follows: From the Favorites bar, open Ettercap. Maximize the window for easier viewing. Select Sniff > Unified sniffing. From the Network Interface drop-down list, select enp2s0. Click OK. Select Hosts > Scan for hosts. Select Hosts > Host list. We want to target information between Office1 (192.168.0.33) and the gateway (192.168.0.5). Under IP Address, select 192.168.0.5. Select Add to Target 1. Select 192.168.0.33.Select Add to Target 2. Initiate a man-in-the-middle attack as follows: Select Mitm > ARP poisoning. Select Sniff remote connections. Click OK. You are ready to capture traffic. On Office1, log in to the employee portal on rmksupplies.com as follows: From the top navigation tabs, select Floor 1 Overview. Under Office 1, select Office1. From the taskbar, open Chrome. Maximize the window for easier viewing. In the URL field, enter rmksupplies.com. Press Enter. At the bottom of the page, select Employee Portal. In the Username field, enter bjackson. In the Password field, enter $uper$ecret1.Click Login. You are logged into the portal as Blake Jackson. On IT-Laptop, copy the session ID detected in Ettercap as follows:From the top navigation tabs, select Floor 1 Overview. Under IT Administration, select IT-Laptop.I n the Ettercap console, find bjackson's username, password, and session cookie (.login) captured in Ettercap. Highlight the session ID.Press Ctrl + C to copy. On Office2, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie as follows :From the top navigation tabs, select Floor 1 Overview. Under Office 2, select Office2.From the taskbar, open Chrome. Maximize the window for easier viewing. In Chrome's URL field, enter rmksupplies.com. Press Enter.In the top right corner, select cookie to open the cookie editor. At the top, select the plus + sign to add a new session cookie. In the Name field, enter .login In the Value field, press Ctrl + V to paste in the session cookie you copied from Ettercap. Make sure rmksupplies.com is in the Domain field. Select the green check mark to save the cookie. Click outside the cookie editor to close the editor. At the bottom of the rkmsupplies page, select Employee Portal.You are now on Blake Jackson's web session.
Which of the following best describes a reverse proxy method for protecting a system from a DoS attack?
Redirects all traffic before it is forwarded to a server, so the redirected system takes the impact.
Promiscuous mode
Turning on promiscuous mode gives the network interface permission to grab every frame that comes its way, even if it's addressed to someone else.
You suspect that an ICMP flood attack is taking place from time to time, so you have used Wireshark to capture packets using the tcp.flags.syn==1 filter. Initially, you saw an occasional SYN or ACK packet. After a short while, however, you started seeing packets as shown in the image. Using the information shown, which of the following explains the difference between normal ICMP (ping) requests and an ICMP flood?
With the flood, all packets come from the same source IP address in quick succession.
You have just captured the following packet using Wireshark and the filter shown. Which of the following is the captured password?
St@y0ut!@
You are using Wireshark to try and determine if a denial-of-service (DDoS) attack is happening on your network (128.28.1.1). You previously captured packets using the tcp.flags.syn==1 and tcp.flags.ack==1 filter, but only saw a few SYN-ACK packets. You have now changed the filter to tcp.flags.syn==1 and tcp.flags.ack==0. After examining the Wireshark results shown in the image, which of the following is the best reason to conclude that a DDoS attack is happening?
There are multiple SYN packets with different source addresses destined for 128.28.1.1.
Using sniffers has become one way for an attacker to view and gather network traffic. If an attacker overcomes your defenses and obtains network traffic, which of the following is the best countermeasure for securing the captured network traffic?
Use encryption for all sensitive traffic.
Which of the following is an attack where all traffic is blocked by taking up all available bandwidth between the target computer and the Internet?
Volumetric attack
Which of the following actions was performed using the WinDump command line sniffer?
Wrote packet capture files from interface 1 into mycap.pcap.
As an IT administrator, you need to know how security breaches are caused. You know that SMAC is used for MAC spoofing, so you are going to spoof your MAC address. In this lab, your task is to complete the following: On Office2 use ipconfig /all and find the IP address and MAC address. Spoof the MAC address on ITAdmin to that of Office2 using SMAC. Refresh your MAC and IP addresses to match the target machine.
Find the IP address and MAC address as follows:Right-click Start and select Windows PowerShell (Admin).At the command prompt, type ipconfig /all and press Enter.Find the MAC address and the IP address. Spoof the MAC address as follows:From the top navigation tabs, select Floor 1 Overview.Under IT Administration, select ITAdmin.In the search bar, type SMAC.Under Best match, right-click SMAC and select Run as administrator.In the New Spoofed Mac Address field, type 00:00:55:55:44:15 for the MAC address from Office2.Select Update MAC.Select OK to restart the adapter. Refresh your MAC and IP addresses as follows:Right-click Start and select Windows PowerShell (Admin).At the command prompt, type ipconfig /all to confirm the MAC address has been updated.Type ipconfig /renew to update the IP address.
A hacker has discovered UDP protocol weaknesses on a target system. The hacker attempts to send large numbers of UDP packets from a system with a spoofed IP address, which broadcasts out to the network in an attempt to flood the target system with an overwhelming amount of UDP responses. Which of the following DoS attacks is the hacker attempting to use?
Fraggle attack
In this lab, your task is to complete the following: On Consult-Lap2, use ssh -X to connect to your rogue computer using the following parameters:IP address: 192.168.0.251Password: $uper$neaky Use Ettercap and the following parameters to launch a DHCP spoofing man-in-the-middle attack on your rogue computer and attempt to capture any unsecure passwords: Network Interface: enp2s0 Netmask: 255.255.255.0 DNS Server IP address: 192.168.0.11 On Exec, release and renew the IP address assigned by DHCP. Log in to the rmksupplies.com employee portal using the following credentials:Username: bjacksonPassword: $uper$ecret1 On Consult-Lap2, copy the session ID detected in Ettercap. On Consult-Lap, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie. Verify that you have hijacked the session.
From Conult-Lap2, connect to your rogue computer as follows: From the Favorites bar, open Terminal.At the prompt, type ssh -X 192.168.0.251 and press Enter. For the password, type $uper$neaky and press Enter. You are now connected to Rogue1. Use Ettercap to launch a DHCP spoofing man-in-the-middle attack as follows: At the prompt, type ettercap and press Enter to launch Ettercap remotely. Ettercap is running on the remote computer, but you see the screen locally. Select Sniff. Select Unified sniffing. From the Network Interface drop-down list, select enp2s0. Click OK. Select Mitm. Select DHCP spoofing. In the Netmask field, enter 255.255.255.0. In the DNS Server IP field, enter 192.168.0.11.Click OK. On Exec, release and renew the IP address as follows: From top navigation tabs, select Buildings. Under Building A, select Floor 1. Under Executive Office, select Exec. Right-click Start and select Windows PowerShell (Admin).Type ipconfig /release and press Enter to release the currently assigned addresses. Type ipconfig /renew and press Enter to request a new IP address from the DHCP server. Log into the rmksupplies.com employee portal as follows: From the taskbar, open Chrome. Maximize the window for easier viewing.In the URL field, enter rmksupplies.com and press Enter.At the bottom of the page, select Employee Portal.In the Username field, enter bjackson.In the Password field, enter $uper$ecret1.Select Login.You are logged in as Blake Jackson. On Consult-Lap2, copy the session ID detected in Ettercap as follows: From the top navigation tabs, select Building A. Under Red Cell, select Consult-Lap2.In the Ettercap console, find bjackson's username, password, and session cookie (.login) captured in Ettercap.Highlight the session ID.Press Ctrl + C to copy. On Consult-Lap, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie as follows: From the top navigation tabs, select Building A.Under Red Cell, select Consult-Lap.From the taskbar, open Chrome.Maximize the window for easier viewing.In Chrome's URL field, enter rmksupplies.com.Press Enter.In the top right corner, select cookie to open the cookie editor.At the top, select the plus + sign to add a new session cookie.In the Name field, enter .loginIn the Value field, press Ctrl + V to paste in the session cookie you copied from Ettercap.Make sure rmksupplies.com appears in the Domain field.Select the green check mark to save the cookie.Click outside the cookie editor to close the editor.At the bottom of the rkmsupplies page, select Employee Portal.You are now on Blake Jackson's web session on your external computer.
Which of the following motivates attackers to use DoS and DDoS attacks?
Hacktivism, profit, and damage reputation
Denial-of -service attack
A denial-of-service attack occurs when a computer is used to flood a server with more packets than it can handle.
Which of the following best describes a DoS attack?
A hacker overwhelms or damages a system and prevents users from accessing a service.
Which of the following is characterized by an attacker using a sniffer to monitor traffic between a victim and a host?
Passive hijacking
While performing a penetration test, you captured a few HTTP POST packets using Wireshark. After examining the selected packet, which of the following concerns or recommendations will you include in your report?
Passwords are being sent in clear text.
Port mirroring
Port mirroring creates a duplicate of all network traffic on a port and sends it to another device.
As the cybersecurity specialist for your company, you have used Wireshark to check for man-in-the-middle DHCP spoofing attacks using the bootp filter. After examining the results, what is your best assessment?
A man-in-the-middle spoofing attack is possible due to two DHCP ACK packets.
Which of the following describes a session ID?
A unique token that a server assigns for the duration of a client's communications with the server.
A security analyst is using tcpdump to capture suspicious traffic detected on port 443 of a server. The analyst wants to capture the entire packet with hexadecimal and ascii output only. Which of the following tcpdump options will achieve this output?
-SX port 443
The ping command is designed to test connectivity between two computers. There are several command options available to customize ping, making it a useful tool for network administrators. On Windows, the default number of ping requests is set is four. Which of the following command options will change the default number of ping requests?
-n
As the cybersecurity specialist for your company, you believe a hacker is using ARP poisoning to infiltrate your network. To test your hypothesis, you have used Wireshark to capture packets and then filtered the results. After examining the results, which of the following is your best assessment regarding ARP poisoning?
ARP poisoning is occurring, as indicated by the duplicate response IP address.
Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what he has done?
Active hijacking
An attacker may use compromised websites and emails to distribute specially designed malware to poorly secured devices. This malware provides an access point to the attacker, which he can use to control the device. Which of the following devices can the attacker use?
Any device that can communicate over the intranet can be hacked.
Which of the following best describes the key difference between DoS and DDoS?
Attackers use numerous computers and connections.
Which of the following are network sniffing tools?
Cain and Abel, Ettercap, and TCPDump
You are the IT administrator for a small corporate network. You need to find specific information about the packets being exchanged on your network using Wireshark. In this lab, your task is to: Use Wireshark to capture packets from the enp2s0 interface. Use the following Wireshark filters to isolate and examine specific types of packets:net 192.168.0.0host 192.168.0.34tcp contains password Answer the questions.
Begin a Wireshark capture as follows: From the Favorites bar, open Wireshark. Under Capture, select enp2s0. Select the blue fin to begin a Wireshark capture. Apply the net 192.168.0.0 filter as follows: In the Apply a display filter field, type net 192.168.0.0 and press Enter. Look at the source and destination addresses of the filtered packets. In the top right, select Answer Questions. Under Lab Questions, answer question 1. Apply the host 192.168.0.34 filter as follows: In the Apply a display filter field, type host 192.168.0.34 and press Enter. Look at the source and destination addresses of the filtered packets. Under Lab Questions, answer question 2. Apply the tcp contains password filter as follows: In the Apply a display filter field, type tcp contains password and press Enter. Select the red box to stop the Wireshark capture. Locate the password in the captured packet. Under Lab Questions, answer question 3.Select Score Lab.
Which of the following best describes the process of using prediction to gain session tokens in an Application level hijacking attack?
Collect several session IDs that have been used before and then analyze them to determine a pattern.
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the host 192.168.0.34 filter?
Only packets with 192.168.0.34 in either the source or destination address are captured.
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the net 192.168.0.0 filter?
Only packets with either a source or destination address on the 192.168.0.0 network are captured.
Which of the following are protocols included in the IPsec architecture?
IKE, AH, and ESP
Which of the following protocols is one of the most common methods used to protect packet information and defend against network attacks in VPNs?
IPsec
As the IT security administrator for a small corporate network, you need to simulate a SYN flood attack using Metasploit so you can complete a penetration test. In this lab, your task is to perform and monitor a SYN flood attack using the following information: Use Zenmap to find the FTP port on CorpServer (192.168.0.10). Use Metasploit to send a SYN flood attack as follows:Remote host: 192.168.0.10Source host: 192.168.0.33Set the FTP port to match the FTP port used by CorpServer. Use Wireshark to capture the SYN flood on the enp2s0 network interface. Filter to show only TCP SYN packets. Find the MAC address of the computer causing the SYN flood. Answer the questions.
From Zenmap, use nmap to find the FTP port used on CorpServer as follows:From the Favorites bar, open Zenmap.In the Command field, type nmap -p 0-100 192.168.0.10Select Scan.CorpServer is using port 21 for FTP.Close Zenmap. Use Metasploit to send a SYN flood as follows:From the Favorites bar, open Metasploit Framework.At the prompt, type search synflood and press Enter to find a SYN flood Metasploit module.Type use auxiliary/dos/tcp/synflood and press Enter to select the SYN flood module.Type show options and press Enter to view the current options for the SYN flood module.Notice that RHOST and SHOST are unassigned and RPORT is set to port 80.Type set rhost 192.168.0.10 and press Enter to set the RHOST address.Type set shost 192.168.0.33 and press Enter to set the SHOST address.Type set rport 21 and press Enter to set the FTP port.Type show options and press Enter to view the new options for the SYN flood module.Notice that RHOST and SHOST have IP addresses assigned and RPORT is set to port 21 matching CorpServer. Capture SYN flood attacks on the CorpServer machine as follows:From the Favorites bar, open Wireshark.Under Capture, select enp2s0.In the Apply a display filter field, type host 192.168.0.10 and tcp.flags.syn==1Press Enter.Select the blue fin to begin a Wireshark capture.Notice that no packets are being captured. In Metasploit, type exploit and press Enter to start a SYN flood. Capture packets for a few seconds. In Wireshark, select the red box to stop the Wireshark capture.Notice the time between each packet sent to host 192.168.1.10. Notice that only SYN packets were captured. In the top right, select Answer Questions. Answer question 1. In the middle pane, expand Ethernet II.Notice the source MAC address of the computer sending the SYN flood. Answer question 2. Select Score Lab.
In this lab, your task is to discover if ARP poisoning is happening as follows: Use Wireshark to capture packets on the enp2s0 interface for five seconds. Analyze the Wireshark packets to determine whether ARP poisoning is taking place. Use the 192.168.0.2 IP address to help make your determination. Answer the questions.
From the Favorites bar, open Wireshark. Maximize the window for easier viewing. Under Capture, select enp2s0. Select the blue fin to begin a Wireshark capture. After capturing packets for 5 seconds, select the red box to stop the Wireshark capture. In the Apply a display filter field, type arp and press Enter to only show ARP packets. In the Info column, look for the lines containing the 192.168.0.2 IP address. In the top right, select Answer Questions. Answer the questions. Select Score Lab.
In this lab, your task is to: Capture packets from the network segment on www_stage using Wireshark. Analyze the attack using the following filters:tcp.flags.syn==1 and tcp.flags.ack==1tcp.flags.syn==1 and tcp.flags.ack==0 Answer the question.
From the Favorites bar, open Wireshark. Under Capture, select enp2s0. From the menu, select the blue fin to begin the capture. In the Apply a display filter field, type tcp.flags.syn==1 and tcp.flags.ack==1 and press Enter to filter the Wireshark display to only those packets with both the SYN flag and ACK flag.You may have to wait several seconds before any SYN-ACK packets are captured and displayed. Select the red square to stop the capture. In the Apply a display filter field, change the tcp.flags.ack ending from 1 to 0 and press Enter to filter the Wireshark display to packets with only the SYN flag.Notice that there are a flood of SYN packets being sent to 128.28.1.1 (www.corpnet.xyz) that were not being acknowledged. In the top right, select Answer Questions. Answer the question. Select Score Lab.
As the IT security specialist for your company, you are performing a penetration test to verify the security of the accounting department. You are concerned that invoice emails can be captured and the information gleaned from these emails can be used to help hackers generate fake invoice requests. In this lab, your task is to: Capture packets on the enp2s0 interface using Wireshark. Find packets containing invoice emails using display filters. Check to see if the following information can be seen in clear text format in the invoice emails:Source and destination email addressesNames of those that sent or received the emailsCustomer information
From the Favorites bar, open Wireshark. Under Capture, select enp2s0. Select the blue fin to begin a Wireshark capture. After a few seconds, select the red box to stop the Wireshark capture. In the Apply a display filter field, type tcp contains Invoice and press Enter. From the bottom panel, exam the packet information and locate the following:The account manager's email address.The recipient of the email's full name.The name of the company requesting payment. In the top right, select Answer Questions. In the bottom pane of Wireshark, exam the packet information to answer the questions. Answer the questions. Select Score Lab.
As the IT security specialist for your company, you're performing a penetration test to verify email security. You are specifically concerned that the HR department may be sending employee's personally identifiable information (PII) in clear text through emails. In this lab, your task is to: Capture packets on the enp2s0 interface using Wireshark. Find packets containing the following information using display filters:Social security numbers (SSN)Birth datesDirect deposit routing numbersMother's maiden nameFavorite carFavorite movieYou can use the tcp contains desired_information filter.
From the Favorites bar, open Wireshark. Under Capture, select enp2s0. Select the blue fin to begin a Wireshark capture. After a few seconds, select the red box to stop the Wireshark capture. In the Apply a display filter field, type tcp contains SSN and press Enter. In the top right, select Answer Questions. In the bottom pane of Wireshark, examine the packet information to answer the questions. Answer the questions. Select Score Lab.
You are the cybersecurity specialist for your company. You need to check to see if any clear text passwords are being exposed to hackers through an HTTP login request. In this lab, your task is to analyze HTTP POST packets as follows: Use Wireshark to capture all packets. Filter the captured packets to show only HTTP POST data. Examine the packets captured to find clear text passwords. Answer the questions.
From the Favorites bar, open Wireshark. Under Capture, select enp2s0. Select the blue fin to begin a Wireshark capture. Capture packets for five seconds. Select the red box to stop the Wireshark capture. Maximize Wireshark for easier viewing. In the Apply a display filter field, type http.request.method==POST and press Enter to show the HTTP POST requests. From the middle pane, expand HTML Form URL Encoded for each packet. Examine the information shown to find clear text passwords. In the top right, select Answer Questions. Answer the questions. Select Score Lab. Q1How many HTTP POST packets were captured? Correct answer: 3 Q2What is the source IP address of the packet containing the clear text password?Correct answer: 192.168.0.98 Q3What is the clear text password captured?Correct answer: St0ne$@
MAC flooding
MAC flooding is the process of overloading a switch's CAM table in hopes that it will respond by broadcasting all traffic across the network.
MAC spoofing
MAC spoofing is the process of changing the MAC address of the interface driver in an attempt to impersonate another host on the network.
Which term describes the process of sniffing traffic between a user and server, then re-directing the traffic to the attacker's machine, where malicious traffic can be forwarded to either the user or server?
Man-in-the-middle
In this lab, your task is to complete the following: On IT-Laptop, use Ettercap to launch a man-in-the-middle DHCP spoofing attack using the following parameters:Netmask: 255.255.255.0DNS Server IP: 192.168.0.11 On Support, complete the following tasks:Start a capture in Wireshark and filter the display for DHCP traffic.View the IP address and the gateway in Terminal.Bring the network interface down and back up to request a new DHCP address.In Wireshark, how many DHCP packets were exchanged?View the IP address and gateway again. What has changed? On Office1, complete the following tasks:Use tracert to rmksupplies.com to find the path. What is the path?Check the IP address of the computer.Release and renew the IP address assigned by DHCP.Check the IP address of the computer again. What has changed?Use tracert to rmksupplies.com to find the path again. What has changed?Log in to the rmksupplies.com employee portal with the following credentials:Username: bjacksonPassword: $uper$ecret1 On IT-Laptop, find the captured username and password in Ettercap. Answer the questions.
On IT-Laptop, start unified sniffing on the enp2s0 interface as follows: From the Favorites bar, select Ettercap. Select Sniff > Unified sniffing. From the Network Interface drop-down list, select enp2s0. Click OK. Select Mitm > DHCP spoofing. In the Netmask field, enter 255.255.255.0. In the DNS Server IP field, enter 192.168.0.11. Click OK. On Support, start a capture that filters for bootp packets as follows: From top navigation tabs, select Floor 1 Overview. Under Support Office, select Support. From the Favorites bar, open Wireshark. Under Capture, select enp2s0. Select the blue fin to begin a Wireshark capture. In the Apply a display filter field, type bootp and press Enter. Request a new IP address as follows: From the Favorites bar, open Terminal. At the prompt, type ip addr show and press Enter. The IP address for enp2s0 is 192.168.0.45. Type route and press Enter. The gateway is 192.168.0.5. Type ip link set enp2s0 down and press Enter. Type ip link set enp2s0 up and press Enter to bring the interface back up. Maximize Wireshark for easier viewing.In Wireshark, under the Info column, notice that there are two DHCP ACK packets. One is the real acknowledgment (ACK) packet from the DHCP server, and the other is the spoofed ACK packet. Select the first DHCP ACK packet received.In the middle panel, expand Bootstrap Protocol (ACK). Expand Option: (3) Router.Notice the IP address for the router.Repeat steps 3g-3i for the second ACK packet.In the top right, select Answer Questions.Answer the questions. Minimize Wireshark. View the current IP addresses as follows: In Terminal at the prompt, type ip addr show and press Enter. The IP address is 192.168.0.45.Type route and press Enter.The current gateway is 192.168.0.46. This is the address of the computer performing the man-in-the-middle attack. On Office1, view the current route and IP address as follows: From top navigation tabs, select Floor 1 Overview.Under Office 1, select Office1.Right-click Start and select Windows PowerShell (Admin) .Type tracert rmksupplies.com and press Enter. Notice that the first hop is 192.168.0.5. Type ipconfig /all and press Enter to view the IP address configuration for the computer. The configuration for Office1 is as follows:IP address: 192.168.0.33Gateway: 192.168.0.5DHCP server: 192.168.0.14At the prompt, type ipconfig /release and press Enter to release the currently assigned addresses. Type ipconfig /renew and press Enter to request a new IP address from the DHCP server. Notice that the default gateway has changed to the attacker's computer which has an IP address of 192.168.0.46. Type tracert rmksupplies.com and press Enter.Notice that the first hop is now 192.168.0.46 (the address of the attacker's computer). In Google Chrome, log into the rmksupplies.com employee portal as follows:From the taskbar, open Google Chrome.Maximize the window for easier viewing.In the URL field, enter rmksupplies.com and press Enter. At the bottom of the page, select Employee Portal.In the Username field, enter bjackson.In the Password field, enter $uper$ecret1.Select Login. You are logged in as Blake Jackson. From IT-Laptop, find the captured username and password in Ettercap as follows: From top navigation tabs, select Floor 1 Overview.Under IT Administration, select IT-Laptop.Maximize Ettercap.In Ettercap's bottom pane, find the username and password used to log in to the employee portal. In the top right, select Answer Questions to end the lab. Select Score Lab.
It is important to be prepared for a DoS attack. These attacks are becoming more common. Which of the following best describes the response you should take for a service degradation?
Services can be set to throttle or even shut down.
Your network administrator has set up training for all the users regarding clicking on links in emails or instant messages. Which of the following is your network administrator attempting to prevent?
Session fixation
A penetration tester discovers a vulnerable application and is able to hijack a website's URL hyperlink session ID. The penetration tester is able to intercept the session ID; when the vulnerable application sends the URL hyperlink to the website, the session IDs are embedded in the hyperlink. Which of the following types of session hijacking countermeasures is the penetration tester using?
Session fixation attack
Which of the following tasks is being described? Sniff the traffic between the target computer and the server. Monitor traffic with the goal of predicting the packet sequence numbers. Desynchronize the current session. Predict the session ID and take over the session. Inject commands to target the server.
Session hijacking
Which of the following tools can be used to create botnets?
Shark, PlugBot, and Poison Ivy
Your network administrator is configuring settings so the switch shuts down a port when the max number of MAC addresses is reached. What is the network administrator taking countermeasures against?
Sniffing
You are the IT security administrator for a small corporate network. You want to spoof the DNS to redirect traffic as part of a man-in-the-middle attack. In this lab, your task is to: Use Ettercap to begin sniffing and scanning for hosts. Set Exec (192.168.0.30) as the target machine Initiate DNS spoofing. From Exec, access rmksupplies.com.
Use Ettercap to begin sniffing and scanning for hosts as follows: From the Favorites bar, open Ettercap. Select Sniff.Select Unified sniffing. From the Network Interface drop-down list, select enp2s0. Select OK. Select Hosts and select Scan for hosts. Set Exec (192.168.0.30) as the target machine as follows: Select Hosts and select Host list. Under IP Address, select 192.168.0.30.Select Add to Target 1 to assign it as the target. Initiate DNS spoofing as follows: Select Plugins. Select Manage the plugins. Select the Plugins tab. Double-click dns_spoof to activate it. Select Mitm. Select ARP poisoning. Select Sniff remote connections. Select OK. From Exec, access rmksupplies.com as follows: From the top navigation tabs, select Floor 1 Overview. Under Executive Office, select Exec. From the task bar, open Chrome. In the URL field, type rmksupplies.com and press Enter.Notice that the page was redirected to RUS Office Supplies despite the web address not changing.
