08 CEH: Sniffing
What is the IPv4 DHCP flow?
1. Client broadcasts *DHCPDISCOVER* 2. Server responds with *DHCPOFFER* 3. Client broadcasts *DHCPREQUEST* 4. Server responds with *DHCPACK* & configuration information
What happens when a CAM table is full?
Additional ARP request traffic floods every port on the switch, resetting the behavior of the switch to its learning mode and causing it to broadcast on every port like a hub
In what ARP poisoning threat does an attacker manipulate a client's connection to take complete control of the network?
Connection hijacking
What table within a switch contains the switch port to MAC address mapping and the VLAN, type, learn, and age fields for each entry?
Content Addressable Memory (CAM) table
What is a denial-of-service (DoS) attack on a DHCP where the attacker broadcasts forged DHCP requests and tries to lease all the DHCP addresses available in the DHCP scope, preventing legitimate users from being able to obtain or renew an IP address?
DHCP starvation attack
What is the name of the attack when an attacker alters or adds forged DNS records into the DNS resolver cache so that a DNS query is redirected to a malicious site?
DNS cache poisoning
What is the attack when an attacker creates a false hostname to IP address mapping within a DNS server (or its cache) so that the attacker can sniff traffic?
DNS poisoning / spoofing attack
What threat of ARP poisoning links multiple IP addresses with a single MAC address of a target host intended for different IP addresses and overloads it with a huge amount of traffic?
DoS attack
What should you enable to defend against *ARP spoofing* / *ARP poisoning*?
Dynamic ARP inspection using DHCP snooping binding table
True or false: to defend against sniffing, it's better to use *dynamic* IP addresses and ARP mappings than *static* IP addresses and ARP mapppings.
False
What field in an IPv4 DHCP message has a size of 128 octets?
File name
What is the routing protocol that allows a host to discover the IP addresses of active routers on their subnet by listening to router advertisement and soliciting messages on their network?
ICMP Router Discovery Protocol (IRDP)
What technique is also a type of network protocol for PNAC that is used to defend against MAC address spoofing and to enforce access control at the point where a user joins the network?
IEEE 802.1X suites
What is the defense technique for MAC spoofing used in switches that restricts the IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database?
IP Source Guard
What do you call it when an attacker sends a spoofed IRDP router advertisement message to a target on the subnet, causing it to change its default router to whatever to the attacker, allowing the attacker to sniff the traffic?
IRDP spoofing
What is the *ARP method* for sniffer detection?
If you send a non-broadcast ARP to all the nodes in a network, and a node running in the promiscuous mode broadcasts a ping message on the network with the local IP address but a different MAC address.
What is the name of the following attack? 1. The attacker infects the target with a trojan 2. The attacker uses the trojan to change the target's DNS IP address to redirect DNS requests to his machine, allowing him to forward traffic to his own site and sniff the traffic
Internet DNS spoofing
What do you call legally intercepting data traffic between two end points for surveillance?
Lawful interception
What is the *DNS method* for sniffer detection?
Most sniffers perform reverse DNS lookups to identify the machine's hostname from IP addresses it sees. A machine generating a lot of reverse DNS traffic is likely running a sniffer.
What is used in the ARPA-Internet community to distribute, inquire into, retrieve, and post news articles through reliable stream-based transmission?
NNTP
What do you call sniffing through a *hub*, wherein the traffic is sent to all ports?
Passive sniffing
What is wiretapping that monitors and records the traffic, but doesn't alter or inject data into it?
Passive wiretapping
What is a security configuration that restricts inbound traffic from only a selected set of MAC addresses and limits the effectiveness of MAC flooding attacks?
Port security
What do you call DHCP snooping on the switch, specifying the legitimate DHCP server's switch port as the trusted port for DHCP traffic?
Rogue DHCP server attack
What is the attack in which the attacker sets up a rogue DHCP server on the network and responds to DHCP requests with bogus IP addresses, resulting in compromised network access. The attacker can declare himself the default gateway and DNS server of the network, allowing him to sniff all traffic in the network?
Rogue DHCP server attack
What is the attack when an attacker connects a rogue switch with a low priority into the network to change the operations of the STP protocol and sniff all the network traffic?
STP attack
What is the IPv6 DHCP flow?
1. Client broadcasts *SOLICIT* 2. Server responds with *Advertise* 3. Client broadcasts *REQUEST* 4. Server responds with *Reply* & configuration information
What 3 things can you do to defend against *MAC spoofing*?
1. DHCP Snooping Binding Table 2. Dynamic ARP Inspection 3. IP Source Guard
What 3 methods does the material recommend for detecting sniffing?
1. Detect which machines in the network on running in promiscuous mode 2. Detect if the MAC address of any of the machines in the network changes 3. Detect strange packets (*Capsa Portable Network Analyzer*)
What are the 4 types of *DNS poisoning attacks*?
1. Intranet DNS Spoofing (local network) 2. Internet DNS Spoofing (remote network) 3. DNS Cache Poisoning 4. Proxy Server DNS Poisoning
What 3 *mobile sniffing tools* does the material recommend?
1. Sniffer Wicap 2. FaceNiff 3. Packet Capture
What is the length of ID number of an organization in a MAC address?
24 bits
What is wiretapping that monitors, records, *alters*, and *injects* data into the traffic?
Active wiretapping
What layer of the OSI model does sniffing occur?
The Data Link layer
What IPv4 DHCP packet fields includes a random number chosen by a client to associate request messages and their responses between the client and server?
Transaction ID (XID)
True or false: retrieving MAC addresses directly from NICs instead of from the OS is a valid countermeasure for defending against sniffing?
True
True or false: switch port security defends against *DHCP starvation* attacks
True
What IOS Global commands is used to configure the number of DHCP packets per second (pps) that an interface can receive?
ip dhcp snooping limit rate
What Cisco IOS global command is used to enable or disable DHCP snooping on one or more VLANs?
ip dhcp snooping vlan <VLAN 1>,<VLAN 2>,...,<VLAN n>
What Unix/Linux tool does the material recommend for MAC flooding?
macof
What IOS global commands verifies the DHCP snooping configuration?
show ip dhcp snooping
A network administrator wants to configure port security on a Cisco switch. What command helps the administrator to enable port security on an interface?
switchport port-security
What Cisco switch port configuration command is used to enter a secure MAC address for the interface and the maximum number of secure MAC addresses?
switchport port-security mac-address <MAC address>
What allows an attacker to view the individual data bytes of each packet passing through a network as well as capture a data packet, decode it, and analyze its content according to predetermined rules?
Hardware protocol analyzer
What is the name of the following attack? 1. The attacker is on the same LAN as the target 2. The attacker poisons the router and redirects DNS requests to his machine, allowing him to forward traffic to his own site and sniff the traffic
Intranet DNS spoofing
What is the process of flooding a switch's CAM table with fake MAC address and IP address pairs until it is full, causing it to act like a hub and enabling an attacker to easily sniff traffic?
MAC flooding
What is a setting that tells a NIC to process every network packet it sees regardless of the intended destination?
Promiscuous mode
What is a port on a switch that is configured to receive a copy of every packet that passes through the switch?
Span port
Which Cisco IOS global command adds all secure MAC addresses that are dynamically learned to the running configuration?
switchport port-security mac-address sticky
What IOS switch command is used to drop packets with unknown source addresses until a sufficient number of secure MAC addresses are removed?
switchport port-security violation restrict
What tool is used for analyzing PCAP files, like those produced by tcpdump, WinDump, Wireshark, and Ettercap?
tcptrace
What are the 2 types of *VLAN hopping* attacks?
1. Switch spoofing 2. Double tagging
What 2 *hardware protocol analyzers* does the material mention?
1. Voyager M4x Protocol Analyzer 2. N2X N5540A Agilent Protocol Analyzer
What 3 *sniffing tools* does the material recommend?
1. WireShark 2. SteelCentral Packet Analyzer 3. Capsa Network Analyzer
What 3 *ARP spoofing* / *ARP poisoning* tool does the material recommend?
1. arpspoof 2. BetterCAP 3. Ettercap
What 2 tools does the material recommend for detecting machines in promiscuous mode?
1. nmap's sniffer-detect.nse 2. NetScan Tools Pro
In what attack does an attacker broadcast gratuitous ARP messages (GARP) to associate his MAC address with the IP address of a legitimate client on the network, causing all traffic destined towards the legitimate client's IP address to be routed to the attacker?
ARP spoofing / ARP poisoning
What is the process of sniffing a *switch-based network*, which involves flooding the switch in such a way that it allows the attacker to sniff traffic?
Active sniffing
What is a mitigation for DNS cache poisoning / spoofing?
DNSSEC
What DHCPv6 messages is sent by a client to the server to indicate that the network address is already in use?
Decline
What tool does the material recommend for *DNS poisoning*?
DerpNSpoof
What is the *ping method* for sniffer detection?
If you send an ICMP ping request to a machine with *its correct IP address* and an *incorrect MAC address* and it responds, the machine is running in promiscuous mode. If it doesn't respond, it's not running in promiscuous mode.
What technique is used by attackers to compromise the security of network switches that connect network segments and force a switch to act as a hub to sniff the traffic easily?
MAC flooding
What is it call when an attacker sniffs a network for MAC addresses of clients who are actively associated with a switch port and reuses one of those MAC addresses, allowing the attacker to intercept all traffic destined for the client?
MAC spoofing / duplicating attack
What technique is an active wiretapping attack that allows an attacker to monitor and record traffic as well as alter or inject data into the communication or traffic?
MITM
What is the name of the following attack? 1. The attacker infects the target with a trojan 2. The attacker uses the trojan to change the target's proxy server IP address to that of the attacker, who can then sniff the traffic
Proxy server DNS poisoning
What attack involves the attacker spoofing the root bridge in the topology?
Spanning Tree Protocol (STP) attack
What is a technique that uses MAC flooding to cause the switch to forward packets bound for the port of a target to the port of the attacker, allowing the attacker to sniff the packets?
Switch port stealing
In what technique does an attacker use Dynamic Trunking Protocol (DTP) to negotiate a trunk link with a switch port in order to capture all traffic that is allowed on the trunk?
Switch spoofing
What tool does the material recommend for *MAC spoofing / duplicating*?
Technitium MAC Address Changer
True or false: using encrypted protocols is a valid countermeasure to defend against sniffing.
True
What technique enables devices to detect the existence of unidirectional links and disable the affected interfaces in the network, in addition to causing STP topology loops?
UDLD
What is the monitoring of telephone and Internet conversations by a third party who connects a listening device to the circuit carrying the information between the two endpoints?
Wiretapping
What tool does the material recommend for *detecting ARP spoofing / poisoning*?
XArp
What is the network forensic analysis tool that can monitor and extract information from network traffic as well as capture application data contained in the network traffic?
Xplico
What tool does the material recommend for performing a *DHCP starvation* attack?
Yersinia