Exam II Study Guide
Assume a typical IPv4 CID R addressing scheme, fill in blanks # bits for Net ID : 2 # bits for Host ID : # host/ network : Prefix length (in slash notation) : Subnet mask in Octets :
# bits for Host ID : 30 # host/ network : 2* * 30-2 Prefix length (in slash notation) : /2 Subnet mask in Octets : 192.0.0.0
Assume a typical IPv4 CID R addressing scheme, fill in blanks # bits for Net ID : # bits for Host ID : # host/ network : 16-2 Prefix length (in slash notation) : Subnet mask in Octets :
# bits for Net ID : 28 # bits for Host ID : 4 # host/ network : 16-2 Prefix length (in slash notation) : /28 Subnet mask in Octets : 255.255.255.240
Assume a typical IPv4 CID R addressing scheme, fill in blanks # bits for Net ID : # bits for Host ID : 28 # host/ network : Prefix length (in slash notation) : Subnet mask in Octets :
# bits for Net ID : 4 # host/ network : 2* * 28-2 Prefix length (in slash notation) : /4 Subnet mask in Octets : 240.0.0
Assume a typical IPv4 CID R addressing scheme, fill in blanks # bits for Net ID : # bits for Host ID : # host/ network : 2* * 25-2 Prefix length (in slash notation) : Subnet mask in Octets :
# bits for Net ID : 7 # bits for Host ID : 25 # host/ network : 2* * 25-2 Prefix length (in slash notation) : /7 Subnet mask in Octets : 254.0.0.0
The _______ _______ engine is the core the Wireshark that breaks out relevant information from capture libraries.
(Dumpcap) capture
What is the default country code top level domain?
.com
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the destination port (in decimal)?
0X 0087 = 135
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the source port (in decimal)?
0X 0089 = 137
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the total length of the embedded packet (bytes, in decimal)?
0x 004c = 76
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the embedded packet header checksum (in hex)?
0x 1fd7
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the first byte of the packet payload (in hex)?
0x0d
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 Whhat is the Embedded Protocol name?
0x11 = 17 = U D P
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the source IP address (as decimal octets)?
0xad4d abcc, = 173.77.171.204
On the basis of the following TCPdump report, answer the following three (3) questions: my_dns.com > root_server.net.domain : 1111 (30) (D F) root_server.net > target_dns.com.domain: 1111 - 1/3/3 (153) (D F) 2. How many records were returned? 3. How many authority records were reported? 4. How many additional records were reported?
1 3 3
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the likely operating system/ application involved with this exchange?
135/137 is NetBios, so OS=windows
What is the Max. Transmissible Unit of Ethernet II?
1518 bytes
How many total ports are there on a modern networked computer?
2**16, or 65535
Common ports TCP Apps:
20 = ftp data; 21 = ftp control 22 = SSH 23 = telnet 25 = smtp 53 D N S 80 = http 110 = pop3 135-139 = netbios 142 = IM A P 443 = H TTPS (SSL) 445 = SM B
On the basis of the following information about a TCP segment system, answer the questions below: Cat 1: Sent and A CK ed ________________________segments 1-7 Cat 2: Sent and N OT A CK ed ____________________segments 8-21 Cat 3: N OT Sent but recipient ready _______________segments 22-30 Cat 4: N OT sent and Recipient N OT ready ____________segments 31-41 W hat is the SEND window size?
23 (cat 3@ 30 minus cat1@ 7)
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the total packet length (in decimal)?
60, 0x60 = 6 x 16 = 96
What is the Max. Transmissible Unit of IPv4?
64K
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the length of the packet payload (bytes, in decimal)?
68 bytes following the UDP header
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the packet ID (in hex)?
893c
On the basis of the following information about a TCP segment system, answer the questions below: Cat 1: Sent and A CK ed ________________________segments 1-7 Cat 2: Sent and N OT A CK ed ____________________segments 8-21 Cat 3: N OT Sent but recipient ready _______________segments 22-30 Cat 4: N OT sent and Recipient N OT ready ____________segments 31-41 W hat is the usable window size?
9 (cat3@ 30 minus cat2@ 21)
Where do ARP cache and switch state tables reside?
ARP cache on router, Switch state table on switch.
Explain the difference between an ARP cache and switch state tables.
ARP resolves M A C and IP, switch table resolves M A C to port number.
Six possible defenses against TCP/IP hacking that involve address spoofing. List three (3) of them.
Avoid weak "-r" commands Do not allow source routing Don't authenticate with IP addresses
Describe a TCP service banner.
Banners are the welcome screens that divulge software version numbers and other system information on network hosts
Why is a pseudo header prepended to a U D P packet?
Because a real IP header isn't available to the transport layer
Why is U D P sometimes called a " wrapper protocol" ?
Because it encapsulates the application data in the data field
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the IP header length in bytes?
Bytes of IP length is 2 nd half of 0x45, = 0x5, = 20 bytes (minimum)
What are the two primary filters that are used by Wireshark to reduce the volume of the data?
Capture filter, display filter
________________ reduces interrogation overhead by maintaining mirror caches in devices at both ends.
Cross-resolution
W hat is the name of a program or client that creates DNS queries and sends to DNS servers?
Dig
The lectures mentioned nine (9) uses of packet crafting by " hackers." List five (5) of them.
Fingerprint OSs Covert tunneling Network mapping To scan ports ARP spoofing IP spoofing
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What IP flags are set?
First 3 bits of 00, 0x00 = 0000 = 0
Protocol v Type
IP - A RP, ICMP, IGMP UDP - DNS, RIP, SNMP TCP - Telnet, FTP, SMTP
Core TCP-IP
IP, ARP, TCP, UDP
Every networked device with complete TCP/IP protocol stack will be associated with two addresses. What are these addresses and with what TCP/IP layer are they associated?
IP/MAC, layer 2 @ ARP
What are the two addressing protocols (aka mappings) used in modern digital networks
IPv4, IPv6
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the fragment offset (in decimal)?
Last 13 bits of 0x0000 is still 0.
OSI approved by ISO is 1983
Layer 7, application, units are encapsulated in other packet data as payload (H TT P, SSH , STM P, ETC) Layer 6, Presentation, SSL, encryption/Compression Layer 5, Session, N etBIOS Layer 4, transport, unit = " packet" (TCP/U D P, includes SY N /A CK etc) Layer 3, network, unit = " datagram" (ICM P) Layer 2, data link, unit = " frame" (A RP, etc) Layer 1, physical, units are bits
What are the three (3) most common packet capture libraries currently in use?
Libpcap, npcap, winpcap
Eight (8) betraying signs of packet crafting were mentioned in the lectures. List four (4) of them, 1-4
Low TTL value Protocol bending Fragmentation overlap DF used innappropriately
Three types of spoofing were associated with hacking in the lectures under the rubric of the IP spoofing continuum. Discuss two (2) of them.
MAC spoofing IP spoofing
_______ mode is the setting for wireless cards that will detect all traffic that comes to it on specific frequency but will only capture those packets to the host if it is associated with the service set.
Managed
_______ mode is the setting for wireless cards that allows data pickup of all wireless traffic within all frequency ranges supported by the card without requiring association with wireless access points.
Monitor
What are the 5 elements of the hacker's modus operandi discussed in class?
Reconnaissance, Scanning, Exploits, Maintaining access, Covering tracks
Name the TCP flag fields
SYN , ACK , FIN , PUSH , RST
Sort by Protocol: h.TCP analysis, unusual TCP flag combinations. The following TCP flag combinations are legitimate.
SYN tcp[13]==0x02 SYN -ACK tcp[13]==0x12 FIN -ACK tcp[13]==0x11 PUSH -ACK tcp[13]==0x18 RST-ACK tcp[13]==0x14
Give another example of how a switch state table may be poisoned.
Sending multiple updates of different mac addresses mapped to a single IP.
Give one example of how an ARP cache may be poisoned.
Sending unsolicited " X has <Address>" sent to router
What is the difference between session hijacking and session cloning?
Session hijacking steals a user's token to gain access to the session, session cloning (prediction) tries to guess a user's token
(T / F ) both endpoints OSs must agree to support SA CK at the time the connection is established
T
4500 0060 893c 0000 7611 f904 ad4d abcc 47cf 44f9 0089 0087 004c 1fd7 0d42 4000 0001 0000 0000 0001 2041 4241 4346 5046 5045 4e46 4445 4346 4345 5046 4846 4445 4646 5046 5041 4341 4200 0020 0001 c00c 0020 0001 0004 93e0 0006 8000 ccf0 8f65 What is the TTL value (in decimal)?
TTL = 0x76, = 7* 16, + 6 = 118
Explain how the " Time to Live" field functions in the IP packet.
TTL contains max hops of packet, and is reduced each time the packet is routed through a new point.
The fact that the SACK bit = 1 in a TCP ACK packet indicates that
The sequences indicated have been received but not A CK ed as yet
DNS zone transfers themselves are done via TCP for reliability. However, most DNS activity uses what protocol?
UDP
Assume Class B. Create 4 subnetting schemes: at least 15 subnets with at least 450 hosts per subnet.
Xxx.xxx.sssshhhh.hhhhhhhh 20. Subnet ID Size: 4; H ost ID size: 12 Xxx.xxx.ssssshhh.hhhhhhhh 21. Subnet ID Size: 5; H ost ID size: 11 Xxx.xxx.sssssshh.hhhhhhhh 22. Subnet ID Size: 6; H ost ID size: 10 Xxx.xxx.sssssssh.hhhhhhhh 23. Subnet ID Size: 7; H ost ID size: 9
_______ reduces interrogation overhead by capitalizing on locality of reference.
caching
Based upon the first octets of the following IPv4 Inter net Addresses, list the classful size of the networks: 1001
first 2 bits are 10, so class B
Based upon the first octets of the following IPv4 Inter net Addresses, list the classful size of the networks: 1101
first 3 bits of 110 are for class C
Based upon the first octets of the following IPv4 Inter net Addresses, list the classful size of the networks: 0001
first bit is 0, so class A
Based upon the first octets of the following IPv4 Inter net Addresses, list the classful size of the networks: 0111
first bit is 0, so class A
W rite W ireshark filters that will capture or trace the following traffic: 14. All packets to and from IP 202.44.38.19 15. All TCP packets with the SYN flag set 16. With which Wireshark capture options should you most aggressively filter?
ip.addr== 202.44.38.19 tcp.flags.syn Protocol, address
Sort by Protocol: f.exclude " expected ports" like D N S (53) OR N etBIOSon port 137
windump -X -r cap1.dmp -n "udp and not (port 53 or port 137)"
Sort by Protocol: ICMP packets
windump -r cap1.dmp -n "icmp"
Sort by Protocol: non-IP traffic? W H Y ?
windump -r cap1.dmp -n "not ip"
STEP 2:TCP packets that don't have typical code bit combinations. Legitimate combinations would be things like SYN , ACK , SYN -A CK ,FIN -ACK , PSH -ACK , RST-A CK .
windump -r cap1.dmp -n "tcp and not (tcp[13]==0x02 or tcp[13]==0x10 or tcp[13]==0x12 or tcp[13]==0x11 or tcp[13]==0x18 or tcp[13]==0x14)"
STEP 1:Let's take a look at one of the hosts seen as the target of a SYN scan.We're looking to see if we can decide if the packets are crafted.
windump -r cap1.dmp -n "tcp[13] & 0x02 != 0 and host 172.16.1.104"
Sort by Protocol: g. TCP traffic Specifically, SYN packets that attempt to establish a 3-way handshake.
windump -r cap1.dmp -n "tcp[13] & 0x02 != 0"
Sort by Protocol: d.exclude " expected ports" like D N S (53)
windump -r cap1.dmp -n "udp and not (port 53)"
Sort by Protocol: e.exclude " expected ports" like D N S (53Let's also exclude port 137(NetBIOS) and see if it's clearer.
windump -r cap1.dmp -n "udp and not (port 53or port 137)"
Sort by Protocol: SUBTACTIC#3: ICMP packets i.Expand detail of TCPdump report with " -vv"
windump -r cap1.dmp -vv -n "icmp"
