Ch. 10 - Sniffing
A. Use encryption for all sensitive traffic.
Using sniffers has become one way for an attacker to view and gather network traffic. If an attacker overcomes your defenses and obtains network traffic, which of the following is the best countermeasure for securing the captured network traffic? A. Use encryption for all sensitive traffic. B. Implement acceptable use policies. C. Eliminate unnecessary system applications. D. Use intrusion detection countermeasures.
Denial-of -service attack
A denial-of-service attack occurs when a computer is used to flood a server with more packets than it can handle.
ARP poisoning
ARP poisoning is the process of sending spoofed messages onto a network in an attempt to associate your MAC address with the IP address of another host so the target machine will send frames to your system.
B. Black hole filtering
Creating an area of the network where offending traffic is forwarded and dropped is known as _________? A. Anti-spoofing measures B. Black hole filtering C. Enable router throttling D. Reverse proxy
Promiscuous mode
Turning on promiscuous mode gives the network interface permission to grab every frame that comes its way, even if it's addressed to someone else.
C. Passive hijacking
Which of the following is characterized by an attacker using a sniffer to monitor traffic between a victim and a host? A. Active hijacking B. Session key C. Passive hijacking D. Session ID
B. With the flood, all packets come from the same source IP address in quick succession.
You suspect that an ICMP flood attack is taking place from time to time, so you have used Wireshark to capture packets using the tcp.flags.syn==1 filter. Initially, you saw an occasional SYN or ACK packet. After a short while, however, you started seeing packets as shown in the image. Using the information shown, which of the following explains the difference between normal ICMP (ping) requests and an ICMP flood? (graphic of wireshark capture flood) A. The only difference is the number of packets that are sent. B. With the flood, all packets come from the same source IP address in quick succession. C. With the ICMP flood, ICMP packets are sent and received at a quicker rate than normal ICMP packets. D. The normal ICMP ping request only has one source address.
D. Passwords are being sent in clear text.
While performing a penetration test, you captured a few HTTP POST packets using Wireshark. After examining the selected packet, which of the following concerns or recommendations will you include in your report? (graphic of wireshark capture, can see password) A. The urgent pointer flag is set to 0. B. The checksum is unverified. C. Keep-alive connections are being used. D. Passwords are being sent in clear text.
B. Cain and Abel, Ettercap, and TCPDump
Which of the following are network sniffing tools? A. WinDump, KFSensor, and Wireshark B. Cain and Abel, Ettercap, and TCPDump C. Ufasoft snif, TCPDump, and Shark D. Ettercap, Ufasoft snif, and Shark
B. Hacktivism, profit, and damage reputation
Which of the following motivates attackers to use DoS and DDoS attacks? A. Hacktivism, turf wars, and profit B. Hacktivism, profit, and damage reputation C. Distraction, turf wars, and fun D. Distraction, extortion, and theft
C. IPsec
Which of the following protocols is one of the most common methods used to protect packet information and defend against network attacks in VPNs? A. ECC B. BLE C. IPsec D. SYN
C. Session hijacking
Which of the following tasks is being described? Sniff the traffic between the target computer and the server. Monitor traffic with the goal of predicting the packet sequence numbers. Desynchronize the current session. Predict the session ID and take over the session. Inject commands to target the server. A. Application hijacking B. Passive hijacking C. Session hijacking D. Cookie hijacking
C. Session fixation
Your network administrator has set up training for all the users regarding clicking on links in emails or instant messages. Which of the following is your network administrator attempting to prevent? A. Packet sniffing B. Packet filtering C. Session fixation D. DNS spoofing
Session ID
A combination of numbers and letters assigned to an open connection between a user and a server.
Sniffing
Sniffing is the process of collecting information as it crosses the network.
C. St@y0ut!@
You have just captured the following packet using Wireshark and the filter shown. Which of the following is the captured password? (graphic of wireshark capture) A. p@ssw0rd B. watson-p C. St@y0ut!@ D. watson
D. IKE, AH, and ESP
Which of the following are protocols included in the IPsec architecture? A. SIP, AH, and ACK B. SIP, AH, and ESP C. IKE, AH, and ACK D. IKE, AH, and ESP
B. A hacker overwhelms or damages a system and prevents users from accessing a service.
Which of the following best describes a DoS attack? A. A hacker attempts to impersonate an authorized user by stealing the user's token. B. A hacker overwhelms or damages a system and prevents users from accessing a service. C. A hacker intercepts traffic between two systems to gain access to a system. D. A hacker penetrates a system by using every character, word, or letter to gain access.
D. Collect several session IDs that have been used before and then analyze them to determine a pattern.
Which of the following best describes the process of using prediction to gain session tokens in an Application level hijacking attack? A. Review a user's browsing history to enter a previously used URL to gain access to an open session. B. Obtain a user's HTTP cookies to collect session IDs embedded within the file to gain access to a session. C. Convince the victim system that you are the server so you can hijack a session and collect sensitive information. D. Collect several session IDs that have been used before and then analyze them to determine a pattern.
C. There are multiple SYN packets with different source addresses destined for 128.28.1.1.
You are using Wireshark to try and determine if a denial-of-service (DDoS) attack is happening on your network (128.28.1.1). You previously captured packets using the tcp.flags.syn==1 and tcp.flags.ack==1 filter, but only saw a few SYN-ACK packets. You have now changed the filter to tcp.flags.syn==1 and tcp.flags.ack==0. After examining the Wireshark results shown in the image, which of the following is the best reason to conclude that a DDoS attack is happening? (graphic of wireshark capture ddos attack) A. There was a flood of SYN packets without a matching SYN-ACK packet. B. The Transmission Control Protocol shows the hex value of the SYN flag is 0x002. C. There are multiple SYN packets with different source addresses destined for 128.28.1.1. D. The source address for all SYN packets is 198.28.1.1.
A. Any device that can communicate over the Internet can be hacked.
An attacker may use compromised websites and emails to distribute specially designed malware to poorly secured devices. This malware provides an access point to the attacker, which he can use to control the device. Which of the following devices can the attacker use? A. Any device that can communicate over the Internet can be hacked. B. Only servers and workstations on the intranet can be hacked. C. Only servers and routers on the Internet can be hacked. D. Only routers and switches on the Internet can be hacked.
Port Mirroring
Port mirroring creates a duplicate of all network traffic on a port and sends it to another device.
C. Shark, PlugBot, and Poison Ivy
Which of the following tools can be used to create botnets? A. Trin00, Targa, and Jolt2 B. Jolt2, PlugBot, and Shark C. Shark, PlugBot, and Poison Ivy D . Poison Ivy, Targa, and LOIC
D. Man-in-the-middle
Which term describes the process of sniffing traffic between a user and server, then re-directing the traffic to the attacker's machine, where malicious traffic can be forwarded to either the user or server? A. Cross-site scripting B. Session hijacking C. DNS spoofing D. Man-in-the-middle
A. ARP poisoning
As part of your penetration test, you are using Ettercap in an attempt to spoof DNS. You have configured the target and have selected the dns_spoof option (see image). To complete the configuration of this test, which of the following MITM options should you select? (graphic of Ettercap Mitm dropdown menu) A. ARP poisoning B. Port stealing C. DHCP spoofing D. NDP poisoning
MAC flooding
MAC flooding is the process of overloading a switch's CAM table in hopes that it will respond by broadcasting all traffic across the network.
C. Wrote packet capture files from interface 1 into mycap.pcap.
Which of the following actions was performed using the WinDump command line sniffer? (graphic of command WinDump -i 1 -w C:test\mycap.pcap) A Read packet capture files from interface 1 in mycap.pcap file. B. Requested that asci strings are included from interface 1 to mycap.pcap. C. Wrote packet capture files from interface 1 into mycap.pcap. D. Requested that hexadecimal strings be included from interface 1 to mycap.pcap.
B. Redirects all traffic before it is forwarded to a server, so the redirected system takes the impact.
Which of the following best describes a reverse proxy method for protecting a system from a DoS attack? A. Adds extra services so that there are too many platforms for the attacker to be able to flood. B. Redirects all traffic before it is forwarded to a server, so the redirected system takes the impact. C. Limits the potential impact of a DoS attack by providing additional response time. D. Creates an area of the network where offending traffic is forwarded and dropped.
D. ip.src ne 192.168.142.3
Using Wireshark filtering, you want to see all traffic except IP address 192.168.142.3. Which of the following is the best command to filter a specific source IP address? A. ip.src == 192.168.142.3 B. ip.src eq 192.168.142.3 C. ip.src && 192.168.142.3 D. ip.src ne 192.168.142.3
D. Volumetric attack
Which of the following is an attack where all traffic is blocked by taking up all available bandwidth between the target computer and the Internet? A. Phlashing attack B. Amplification attack C. Fragmentation attack D. Volumetric attack
C. A unique token that a server assigns for the duration of a client's communications with the server.
Which of the following describes a session ID? A. The destination IP address of an encrypted packet sent from a server to a client. B. The symmetric key used to encrypt and decrypt communications between a client and a server. C. A unique token that a server assigns for the duration of a client's communications with the server. D. The source IP address of an encrypted packet sent from a server to a client.
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the account manager's email address? (graphic of wireshark capture) A. [email protected] B. [email protected] C. [email protected] D. [email protected]
A. ACME, Inc
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the name of the company requesting payment? (graphic of wireshark capture) A. ACME, Inc B. Wood Specialist C. The Home Depot D. Lowes
C. ARP poisoning is occurring, as indicated by the duplicate response IP address.
As the cybersecurity specialist for your company, you believe a hacker is using ARP poisoning to infiltrate your network. To test your hypothesis, you have used Wireshark to capture packets and then filtered the results. After examining the results, which of the following is your best assessment regarding ARP poisoning? (graphic of wireshark capture) A. ARP poisoning is occurring, as indicated by the multiple Who Has packets being sent. B. No ARP poisoning is occurring. C. ARP poisoning is occurring, as indicated by the duplicate response IP address. D. ARP poisoning is occurring, as indicated by the short time interval between ARP packets.
A. ARP poisoning
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on the network? A. ARP poisoning B. MAC spoofing C. Port mirroring D. MAC flooding
A. Sniffing
Your network administrator is configuring settings so the switch shuts down a port when the max number of MAC addresses is reached. What is the network administrator taking countermeasures against? A. Sniffing B. Spoofing C. Filtering D. Hijacking
A. -n
The ping command is designed to test connectivity between two computers. There are several command options available to customize ping, making it a useful tool for network administrators. On Windows, the default number of ping requests is set is four. Which of the following command options will change the default number of ping requests? A. -n B. -a C. -f D. -l
Session hijacking
The process of taking over an established connection between a host and a web server. The session token can be stolen or a predicted session token can be used.
C. A man-in-the-middle spoofing attack is possible due to two DHCP ACK packets.
As the cybersecurity specialist for your company, you have used Wireshark to check for man-in-the-middle DHCP spoofing attacks using the bootp filter. After examining the results, what is your best assessment? (graphic of wireshark capture) A. A man-in-the-middle spoofing attack is possible due to the DHCP Offer packet captured from the hacker. B. Two man-in-the-middle spoofing attacks were captured. C. A man-in-the-middle spoofing attack is possible due to two DHCP ACK packets. D. No man-in-the-middle spoofing attacks are currently present.
B. Services can be set to throttle or even shut down.
It is important to be prepared for a DoS attack. These attacks are becoming more common. Which of the following best describes the response you should take for a service degradation? A. Include a checklist of all threat assessment tools. B. Services can be set to throttle or even shut down. C. Have more than one upstream connection to use as a failover. D. Add extra services, such as load balancing and excess bandwidth.
B. Only packets with either a source or destination address on the 192.168.0.0 network are captured.
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the net 192.168.0.0 filter? (graphic of wireshark capture) A. Only packets with a destination address on the 192.168.0.0 network are captured. B. Only packets with either a source or destination address on the 192.168.0.0 network are captured. C. Only packets with a source address on the 192.168.0.0 network are captured. D. Only packets with a source address of 192.168.0.0 are captured.
A. Attackers use numerous computers and connections.
Which of the following best describes the key difference between DoS and DDoS? A. Attackers use numerous computers and connections. B. Results in the server being inaccessible to users. C. Sends a large number of legitimate-looking requests. D. The target server cannot manage the capacity.
A. Only packets with 192.168.0.34 in either the source or destination address are captured.
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the host 192.168.0.34 filter? (graphic of wireshark capture) A. Only packets with 192.168.0.34 in either the source or destination address are captured. B. Only packets with 192.168.0.34 in the source address are captured. C. Only packets with 192.168.0.34 in the destination address are captured. D. Only packets on the 192.168.0.34 network are captured.
B. Session fixation attack
A penetration tester discovers a vulnerable application and is able to hijack a website's URL hyperlink session ID. The penetration tester is able to intercept the session ID; when the vulnerable application sends the URL hyperlink to the website, the session IDs are embedded in the hyperlink. Which of the following types of session hijacking countermeasures is the penetration tester using? A. TCP/IP session hijacking B. Session fixation attack C. Man-in-the-middle attack D. UDP session hijacking
D. Fraggle attack
A hacker has discovered UDP protocol weaknesses on a target system. The hacker attempts to send large numbers of UDP packets from a system with a spoofed IP address, which broadcasts out to the network in an attempt to flood the target system with an overwhelming amount of UDP responses. Which of the following DoS attacks is the hacker attempting to use? A. Smurf attack B. SYN flood C. Teardrop attack D. Fraggle attack
C. -SX port 443
A security analyst is using tcpdump to capture suspicious traffic detected on port 443 of a server. The analyst wants to capture the entire packet with hexadecimal and ascii output only. Which of the following tcpdump options will achieve this output? A. -SA port 443 B. src port 443 C. -SX port 443 D. -SXX port 443
D. Active hijacking
Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what he has done? A. Session sniffing B. Passive hijacking C. Cross-site scripting D. Active hijacking
MAC spoofing
MAC spoofing is the process of changing the MAC address of the interface driver in an attempt to impersonate another host on the network.
Distributed denial-of-service attack
Distributed denial-of-service attacks use numerous computers and internet connections across the globe to overload target systems.
