Ethical Hacking: Module 06 Network Level Attacks & Countermeasures
Which of the following protocols is vulnerable to a sniffing attack as passwords and data are sent in clear text?
(FTP) File Transfer Protocol
BeRoot
A a post-exploitation tool to check common misconfigurations to find a way to escalate privilege.
Ping of Death Attack
A crafted ICMP packet larger than the maximum 65,535 bytes; causes the recipient system to crash or freeze.
UDP flood attack
A denial-of-service attack based on sending a huge number of UDP packets.
Wireshark
A popular network analysis tool to capture network packets and display them at a granular level for real-time or offline analysis
Post Office Protocol (POP)
A protocol that resides on an incoming mail server. The current version is POP3.
hping3
A tool that can map the network topology and help locate firewall vulnerabilities
James, a professional hacker, performed a session hijacking attack against a victim connected to the same network. James captured the TCP sequence and acknowledgment numbers of the victim to craft his own packets. He then interrupted the connection between the server and the victim and injected the crafted packets into the server as a legitimate user. Given below are different steps followed by James when performing session hijacking: 1. Session desynchronization 2. Monitor 3. Session ID pr
A. 4, 2, 1, 3, 5
Noah, a professional hacker, planned to launch a DDoS attack on his target organization and disrupt their normal services. He employed a tool designed to attack up to 256 target URLs simultaneously, and it can also send HTTP POST and GET requests to a computer that uses lulz-inspired GUIs. Which of the following tool helped Noah perform the DDoS attack? A. High Orbit Ion Cannon (HOIC) B. NetBIOS Enumerator C. Wireshark D. Arpspoof
A. High Orbit Ion Cannon (HOIC)
Identify the technique that sends non-broadcast ARP to all the nodes in the network, and the node that runs in promiscuous mode broadcasts a ping message on the network with the local IP address but a different MAC address.
ARP Method
Which of the following is not a countermeasure for defending against sniffing attacks?
Always use FTP for transferring files.
Which of the following practices is NOT a countermeasure for defending against sniffing attacks?
Always use HTTP to protect user names and passwords
SNMP (Simple Network Management Protocol)
An Application-layer protocol used to exchange information between network devices.
Fragmentation Attack
An attack that exploits vulnerabilities in the fragment reassembly functionality of the TCP/IP protocol stack.
DNS poisoning
An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device.
DHCP starvation attack
An attacker floods the DHCP server with bogus DHCP requests and eventually the DHCP server pool is exhausted.
OWASP ZAP (Open Web Application Security Project Zed Attack Proxy)
An open source web application security scanner
Which of the following tool helps an attacker perform an ARP poisoning attack?
Arpspoof or Driftnet
David, a network administrator, was assigned to analyze the network for signatures of a session hijacking attack on an organization. David captured all the network traffic using packet sniffing tools and used various filters to find any repeated ARP update packets. Which of the following methods has David employed in the above scenario to detect session hijacking attacks? A. intrusion detection system B. manual method C. intrusion prevention system D. automatic method
B. manual method
In which of the following techniques does an attacker predict the sequence numbers that a victim host sends to create a connection that appears to originate from the host and then hijacks the communication?
Blind Hijacking
Lopez, a professional hacker, targets his opponent's system and performs spoofing attacks by using multiple intermediary and secondary machines. He exploited the TCP three-way handshake vulnerability and initiated sending requests to the intermediary hosts, reflecting the attack traffic to the target. Identify the attack technique employed by Lopez in the above scenario. A. MAC flooding B. peer-to-peer attack C. DRDoS attack D. Phlashing
C. DRDoS attack
George, a professional hacker, targeted an organization's server to cause reputational damage to the organization. For this purpose, he employed an ARP poisoning tool that forges ARP replies from the target server resulting in customers navigating to the attacker-owned host, which contains irrelevant information for the customers. Which of the following tool helped George in the above scenario to perform an ARP poisoning attack? A. Netstat B. LUCY C. Ettercap D. Trape
C. Ettercap
Jack, a professional hacker, has targeted a website that uses linear algorithms to create shorter session IDs for logged-in users. Jack created a forged valid session ID and logged in to other accounts by studying the sequential pattern. Which of the following weaknesses has Jack exploited in the above scenario to hijack session IDs? A. indefinite session timeout B. insecure handling of session IDs C. weak session ID generation D. absence of account lockout for invalid session IDs
C. weak session ID generation
Clark, a professional hacker, targeted an organization's network to steal credentials being shared during active sessions. He collected the physical address of the legitimate users connected to the switch port. Then, Clark started spoofing his physical address with the physical address of a legitimate client and received all the traffic destined for that client. Which of the following attacks has Clark performed in the above scenario? A. DHCP starvation attack B. ARP spoofing C. DNS spoofing D. MAC duplicating
D. MAC duplicating
Smith, a professional hacker, initiated a network sniffing attack on the switched Ethernet environment of a target organization. He employed an automated tool to flood the switch with a fake physical address until the switch translation table became full. When the switch entered fail-open mode, it started acting as a hub by broadcasting packets. Now, Smith could easily accomplish his goal of network sniffing. Identify the type of attack performed by Smith in the above scenario. A. ARP poisoning B. DHCP starvation C. DNS poisoning D. MAC flooding
D. MAC flooding
In which of the following OSI layers do sniffers operate and perform an initial compromise?
Data Link Layer
Which of the following guidelines should be followed to eliminate the risk of session hijacking?
Implement timeout to destroy sessions when expired
L0phtCrack
Is a password auditing and recovery application. It uses multiple assessment methods to assist administrators in reducing security risks.
MAC Flooding Attack
It's the act of attempting to overload the switches content addressable memory table forcing legitimate MAC addresses out of same. This can cause a DOS against the switch. This can be countered via port security on the switch, by limiting the number of MAC addresses the port can learn.
Which of the following distributes, inquiries into, retrieves, and posts news articles using a reliable stream based transmission of news among the ARPA-Internet community?
NNTP (Network News Transfer Protocol)
James, a certified hacker, was hired to intrude into an organization's network to perform malicious activities. James targeted an employee's system and started sending fraudulent and defective firmware updates. Soon after the employee clicked on one of the updates received, the attacker achieved complete control over the victim's system and gained access to the organization's network. Identity the type of attack performed by James in the above scenario.
Permanent Denial of Service Attack
Which of the following techniques is useful in detecting a system that runs in promiscuous mode and in turn helps detect sniffers installed on the network?
Ping Method
Telnet
Port 23
List of Countermeasures for combating DoS/DDoS attacks
Prevent the transmission of fraudulently addressed packets at the ISP level Configure the firewall to deny external ICMP traffic access Secure remote administration and connectivity testing Stop data processed by the attacker from being executed Prevent the use of unnecessary functions such as gets and strcpy Prevent the return addresses from being overwritten
Which of the following countermeasures helps security teams defend against DDoS attacks on the network and system?
Prevent the use of unnecessary functions such as gets and strcpy
Countermeasure to Defend Against Sniffing
Restrict physical access to the network media to ensure that a packet sniffer cannot be installed Use end to end encryption to protect confidential information Permanently add the MAC address of the gateway to the ARP cache Use static IP addresses and ARP tables to prevent attackers from adding the spoofed ARP entries for machines in the network Turnoff network identification broadcasts Use IP v6 instead of IPv4 Use a switch instead of the hub, as a switch delivers data only to the intended recipient Retrieve MAC addresses directly from NICs instead of OS; this prevents MAC address spoofing Use tools to determine if any NICs are running in promiscuous mode Use the concept of Access Control List (ACL) to allow access only to a fixed range of trusted IP addresses in a network Change default passwords to complex passwords Avoid broadcasting SSIDs (Session Set Identifiers)
Which of the following protocols is a TCP/IP based protocol used to exchange management information between devices connected on a network?
SNMP (Simple Network Management Protocol)
Identify the type of attack in which the attacker sends a large number of connection requests to the target server with fake source IP addresses, creating incomplete TCP connections that use up all network resources.
SYN Flood Attacks
Which of the following countermeasures helps security professionals defend against DoS/DDoS attacks?
Secure remote administration and connectivity testing
In which of the following session hijacking phases does an attacker break the connection to the victim's machine by knowing the next sequence number (NSN)?
Session Desynchronization
Ettercap
Sniffers. A suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
MAC duplication
Spoofing MAC address but used for DOS
Command Injection
Start injecting packets to the target server.
Session ID Prediction
Take over the session
Which of the following protocols is used to communicate through port 23 and allows an attacker to log into a network machine remotely via a TCP connection to sniff keystrokes, including usernames and passwords, that are sent in cleartext?
Telnet
Smurf Attack
The attacker spoofs the source IP address with the victim's IP address and sends a large number of ICMP ECHO request packets to an IP broadcast network.
Monitor
The flow of packets and predict the sequence number
ARP Method
This technique sends a non-broadcast ARP to all the nodes in the network. The node that runs in promiscuous mode on the network will cache the local ARP address. Then, it will broadcast a ping message on the network with the local IP address but a different MAC address.
Ping Method
To detect a sniffer on a network, identify the system on the network running in promiscuous mode. method is useful in detecting a system that runs in promiscuous mode, which in turn helps to detect sniffers installed on the network.
ARP Spoofing Attack
Type of attack which involves constructing a large number of forged ARP request and reply packets to overload a switch, which sets it in 'forwarding mode', allowing the attacker to spoof all of the network packets
Which of the following countermeasures should be followed to defend against session hijacking?
Use HPKO to allow users to authenticate web servers.
Which of the following countermeasures helps security teams defend against sniffing attacks?
Use static IP addresses and ARP tables.
Which of the following guidelines should be implemented to protect connections against session hijacking?
Use strings or long random numbers as session keys.
Which of the following GUI tools helps attackers sniff live network traffic from Ethernet and provides filters for customized data display?
Wireshark
IMAP (Internet Message Access Protocol)
a common protocol for retrieving email messages via the Internet
LOIC
a commonly used distributed denial of service (DDoS) attack toolkit
ARP Poisoning Attack
also known as ARP spoofing, occurs when an attacker with access to the target network redirects an IP address to the MAC address of a computer that is not the intended recipient
Joe, an attacker, was hired to target a company's server and make its services unavailable to valid users. Joe employed a command line oriented tool to initiate a DoS attack on the target website's server by crafting custom ICMP echo request packets.
hping3
Permanent Denial-of-Service (PdoS)
prevents the target's system or device from working. Instead of collecting data or providing some on-going perverse function, its objective is to completely prevent the target's device(s) from functioning. Also known as phlashing.
SYN flooding attack
variation of a DoS where the attacker sends fake communication requests to the targeted system
