Chapter 10 Sniffing, Among Other Things
What action was performed using the WinDump command line sniffer?
Wrote packet capture files from interface 1 into mycap.pcap
The ping command is designed to test connectivity between two computers. There are several commands available to customize ping, making it useful to network admins. On Windows, the default number of ping requests is four. Which command will change the default number of ping requests?
-n
What best describes the difference between a DoS and a DDoS attack?
Attackers use numerous computers and connections
It is important to prepare for DoS attacks, which are becoming more common. What best describes the response you should take with service degradation?
Services can be set to throttle or even shut down
You're using Wireshark to try and determine if a denial-of-service (DDoS) attack is occurring on your network (128.28.1.1). You captured packets using the tcp.flags.syn==1 and the tcp.flags.ack==0. After examining the results, what is the best reason to conclude a DDoS attack is happening?
There are multiple SYN packets with different source addresses destined for 128.28.1.1
You've been asked to perform a pen test for a company to see if sensitive info can be captured by potential hackers. You have used Wireshark to cap a series of packets. Using tcp contains Invoice filter, you found one packet. Using the info below what is the account manager's email address?
Which of the following describes a session ID?
A unique token that a server assigns for the duration of a client's communications with the server.
While performing a pen test you captured a few HTTP POST packets using Wireshark. After examining the selected packet, what concerns or recommendations will you include in your report?
Passwords are being sent in clear text
What best describes the reverse proxy method for protecting systems from DoS attacks?
Redirects all traffic before it is forwarded to a server, so the redirected system takes the impact
What task is being described by the following: 1.sniff traffic btwn target computer and server. 2.Monitor traffic with goal of predicting packet sequence numbers. 3.Desynchronize current session. 4.Predict session ID and take over session. 5.Inject commands to target server
Session Hijacking
Your net admin has set up training for all the users regarding clicking on links in emails or instant messages. What is the net admin attempting to prevent?
Session fixation
A pen tester has discovered a vulnerable application and is able to hijack a website's URL hyperlink session ID. The pen tester is able to intercept the session ID; when the vulnerable application send the URL hyperlink to the website, the session IDs are embedded in the hyperlink. What session hijacking countermeasure are they using?
Session fixation attack
Which tools can be used to create botnets?
Shark, PlugBot, and Poison Ivy
Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. What describes what he has done?
Active Hijacking
What is characterized by an attacker using a sniffer to monitor traffic between a victim and a host?
Passive Hijacking
You have just captured the following packet using Wireshark and the filter shown. What is the captured password?
St@y0ut!@
A security analyst is using tcpdump to cap suspicious traffic detected on port 443 of a server. The analyst wants the entire packet captured in hexadecimal and ascii output only. What tcpdump option will achieve this?
-SX port 443
As part of your pen test you are using Ettercap to attempt to spoof DNS. You have configured the target and chosen the dns_spoof option. To complete configuration, what MitM option should you select?
ARP poisoning
What term is used to describe what happens when an attacker sends falsified messages to link their MAC addresses with the IP address of a legit computer or server on the network?
ARP poisoning
What describes the process of using prediction to gain session tokens in an application hijacking attack?
Collect several session IDs that have been used before and analyze them to determine a pattern
A hacker has discovered UDP protocol weaknesses on a target system. The hacker attempts to send large numbers of UDP packets from a system with a spoofed IP address, which broadcasts out to the network in an attempt to flood the target system with an overwhelming amount of UDP responses. What DoS attack is the hacker attempting to use?
Fraggle attack
Using Wireshark filtering, you want to see all traffic except IP addresses 192.168.142.3. What is the best command to filter a specific source IP address?
ip.src ne 192.168.142.3
As the cybersecurity specialist in your company, you used Wireshark to check for man-in-the-middle DHCP spoofing attacks using the bootp filter. After examining the results, what is your best assessment?
A man-in-the-middle spoofing attack is possible due to two DHCP ACK packets
Attackers may use compromised websites and emails to distribute specially designed malware to poorly secured devices. The malware provides an access point to an attacker, which he can use to control the device. What device can the attacker use?
Any device that can communicate over the intranet can be hacked
What best describes a DoS attack?
A hacker overwhelms or damages a system and prevents users from accessing a service
You suspect an ICMP flood is taking place from time to time, so you used Wireshark to cap packets using the tcp.flags.syn==1 filter. Initially, you saw an occasional SYN or ACK packet. After a short while. the packets changed. What best explains the difference between normal ICMP (ping) requests and ICMP floods?
With the flood, all packets come from the same source IP address in quick succession
You've been asked to perform a pen test for a company to see if sensitive info can be captured by potential hackers. You have used Wireshark to cap a series of packets. Using tcp contains Invoice filter, you found one packet. Using the info below what is the name of the company requesting payment?
ACME, Inc
As the cybersecurity specialist for your company, you believe a hacker is using ARP poisoning to infiltrate your network. To test your hypothesis, you used Wireshark to cap packets and filter the results. After examining the results, what is your best assessment regarding ARP poisoning?
ARP poisoning is occurring, as indicated by the duplicate response IP addresses.
Creating an area of the network where offending traffic is forwarded and dropped is known as...
Black hole filtering
What term describes the process of sniffing traffic btwn a user and a server, the re-directing the traffic to the attacker's machine, where malicious traffic can be forwarded to either the user or the server?
Man-in-the-Middle attack
Which of the following are network sniffing tools?
Cain and Abel, Ettercap, and TCPDump
What is an attack where all traffic is blocked by taking up all available bandwidth between the target computer and the Internet?
Volumetric attack
Your net admin is configuring settings so the switch shuts down a port when the max number of MAC addresses is reached. What are they taking counters against?
Sniffing
Using sniffers has become one way for an attacker to view and gather net traffic. If an attacker overcomes your defenses and obtains net traffic what is the best countermeasure for securing the captured net traffic?
Use encryption for all sensitive traffic
What motivates hackers to use DoS and DDoS attacks?
Hactivism, profit, and damage reputations
What are protocols included in the IPsec architecture?
IKE, AH, and ESP
What protocol is one of the most common methods used to protect packet information and defend against network attacks in VPNs?
IPsec
Using Wireshark, you have used a filter to capture only the desired types of packets. Using the info, what describes the effects of using the net 192.168.0.34 filter?
Only packets with 192.168.0.34 in either the source or destination address are captured
Using Wireshark, you have used a filter to capture only the desired types of packets. Using the info, what describes the effects of using the net 192.168.0.0 filter?
Only packets with either a source or destination address on the 192.168.0.0 network are captured
