Chapters 9, 11, 12

The stack operates on _______ a basis. FIFO LIFO FILO LILO

LIFO The stack uses a last-in, first-out scheme. Items are pushed onto or popped from the top, so at any time the only accessible item on the stack is the last one pushed there.

A session hijack can happen with which of the following? Networks and applications Networks and physical devices Browsers and applications Cookies and devices

Network and applications

On a switch, each switchport represents a ____________. VLAN Broadcast domain Host Collision domain

Collision domain Each switchport represents a collision domain, thereby limiting sniffing to only the clients residing on that port.

What command-line utility can you use to craft custom packets with specific flags set? Nmap Zenmap Ping hping3

hping3 Although the Nmap and Zenmap utilities can activate specific TCP flags based on the custom scan desired, the hping3 utility was designed for creating custom packets and manipulating TCP flags.

Session hijacking can be thwarted with which of the following? SSH FTP Authentication Sniffing

Authentication

What response is missing in a SYN flood attack? ACK SYN SYN-ACK URG

ACK During a SYN flood, the last step of the three-way handshake is missing, which means that after the SYN and SYN-ACK are performed, the final ACK is not received.

What device will neither limit the flow of traffic nor have an impact on the effectiveness of sniffing? Hub Router Switch Gateway

Hub A hub cannot limit the flow of traffic in any way, meaning that all traffic flowing through the hub can be viewed and analyzed.

Wireless access points function as a ____________. Hub Bridge Router Repeater

Hub All wireless access points are essentially hubs in that they do not segregate traffic the way a traditional wired switch does.

Which of the following prevents ARP poisoning? ARP Ghost IP DHCP Snooping IP Snoop DNSverf

IP DHCP Snooping IP DHCP Snooping can be used on Cisco devices to prevent ARP poisoning by validating IP-to-MAC mappings based on a saved database.

Jennifer is using tcpdump to capture traffic on her network. She would like to review a capture log gathered previously. What command can Jennifer use? tcpdump -r capture.log tcpdump - l capture.log tcpdump -t capture.log tcpdump -w capture.log

tcpdump -r capture.log The option -r is used to read the capture file, or the capture can be opened in a GUI-based sniffer such as Wireshark.

What is the hexadecimal value of a NOP instruction in an Intel system? 0x99 0x90 0x80 99x0

0x90 0x90 is the hexadecimal value of a NOP instruction for Intel-based systems. Remember to keep an eye out for this value; it indicates a NOP and possibly a NOP sled, which could indicate a buffer overflow condition in progress.

Tiffany is analyzing a capture from a client's network. She is particularly interested in NetBIOS traffic. What port does Tiffany filter for? 123 139 161 110

139 Tiffany looks for NetBIOS traffic on port 139. She can use the filter string tcp .port eq 139.

Which DoS attack sends traffic to the target with a spoofed IP of the target itself? Land Smurf Teardrop SYN flood

Land A land attack fits this description. Smurf Attacks deal with ICMP echo requests going back to a spoofed target address. SYN floods use custom packets that barrage a target with requests. Teardrop attacks use custom fragmented packets that have overlapping offsets.

Which Wireshark filter displays only traffic from 192.168.1.1? ip.addr =! 192.168.1.1 ip.addr ne 192.168.1.1 ip.addr == 192.168.1.1 ip.addr - 192.168.1.1

ip.addr == 192.168.1.1 The Wireshark operator == means equal to. In this scenario, using the == operator filters down to 192.168.1.1 as the specific host to be displayed.

Wireshark requires a network card to be able to enter which mode to sniff all network traffic? Capture mode Promiscuous mode Pcap mode Gather mode

Promiscuous mode To sniff all traffic on a network segment, promiscuous mode is required, which allows all network traffic to be captured.

Groups and individuals who hack systems based on principle or personal beliefs are known as ___________. White hats Black hats Script kiddies Hacktivists

Hacktivists Hacktivists get their title from the paradigm of hacktivism. These hackers launch attacks against targets because they believe those targets violate the attackers' morals, ethics, or principles.

What is the name for the dynamic memory space that, unlike the stack, doesn't rely on sequential ordering or organization? Pointer Heap Pile Load

Heap Along with the stack, the heap provides a program with a dynamic memory space that can serve as a nonsequential storage location for variables and program items.

Session hijacking can be performed on all of the following protocols except which one? FTP SMTP HTTP IPsec

IPsec IPSec is designed with many goals in mind; one of them is that it is not as vulnerable to session hijacking as the other protocols and services listed here.

Jennifer has been working with sniffing and session-hijacking tools on her company network. Since she wants to stay white hat—that is, ethical—she has gotten permission to undertake these activities. What would Jennifer's activities be categorized as? Passive Monitoring Active Sniffing

Passive

Session hijacking can do all of the following except which one? Take over an authenticated session Be used to steal cookies Take over a session Place a cookie on a server

Place a cookie on a server

What mode must be configured to allow an NIC to capture all traffic on the wire? Extended mode 10/100 Monitor mode Promiscuous mode

Promiscuous mode An NIC must be configured to operate in promiscuous mode to capture all traffic on the network. More specifically, it allows the interface to capture both traffic that is intended for the host and traffic that is intended for other clients.

A man-in-the-browser attack is typically enabled by using which mechanism? Virus Worms Logic bombs Trojans

Trojans

Jennifer is using tcpdump to capture traffic on her network. She would like to save the capture for later review. What command can Jennifer use? tcpdump -r capture.log tcpdump - l capture.log tcpdump -t capture.log tcpdump -w capture.log

tcpdump -w capture.log Tcpdump uses the option -w to write a capture to a log file for later review. The option -r is used to read the capture file, or the capture can be opened in a GUI-based sniffer such as Wireshark.

Which command launches a CLI version of Wireshark? Wireshk dumpcap tshark editcap

tshark The command for the CLI version of Wireshark is tshark.

Which function(s) are considered dangerous because they don't check memory bounds? (Choose all that apply.) gets() strcpy() scanf() strcat()

ALL; gets(), strcpy(), scanf(), strcat() All of these C functions are considered dangerous because they do not check memory bounds. Thus, code containing any of these can be part of a buffer overflow attack.

MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client? The MAC address doesn't map to a manufacturer. The MAC address is two digits too long. A reverse ARP request maps to two hosts. The host is receiving its own traffic.

A reverse ARP request maps to two hosts. MAC spoofing results in duplicate MAC addresses on a network unless the compromised client has been bumped from its connection. Two IP addresses mapping to one MAC indicates a bogus client.

A session hijack can be initiated from all of the following except which one? Emails Browsers Web applications Cookies and devices

Cookies and devices

What is the key difference between a smurf and a fraggle attack? TCP vs. UDP TCP vs. ICP UDP vs. ICMP TCP vs. ICMP

TCP vs. UDP A Smurf Attack uses ICMP to carry out its action whereas UDP is used during Fraggle Attacks. TCP is not used in either attack.

Jennifer is a junior system administrator for a small firm of 50 employees. For the last week a few users have been complaining of losing connectivity intermittently with no suspect behavior on their part such as large downloads or intensive processes. Jennifer runs Wireshark on Monday morning to investigate. She sees a large amount of ARP broadcasts being sent at a fairly constant rate. What is Jennifer most likely seeing? ARP poisoning ARP caching ARP spoofing DNS spoofing

ARP poisoning

Which of the following is not a source of session IDs? URL Cookie Anonymous login Hidden login

Anonymous login URLs, cookies, and hidden logins are all sources of session IDs.

What protocol is used to carry out a fraggle attack? IPX TCP UDP ICMP

UDP UDP is the protocol that is used to carry out a Fraggle Attack. ICMP plays a role in ping floods, which are a different type of attack. TCP and IPX do not play any role in this type of attack.

A public use workstation contains the browsing history of multiple users who logged in during the last seven days. While digging through the history, a user runs across the following web address: www.snaz22enu.com/&w25/session=22525. What kind of embedding are you seeing? URL embedding Session embedding Hidden form embedding Tracking cookie

URL embedding

What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts? ARP redirection ARP poisoning ARP flooding ARP partitioning

ARP poisoning ARP poisoning alters ARP table mappings to align all traffic to the attacker's interface before traveling to the proper destination. This allows the attacker to capture all traffic on the network and provides a jumping-off point for future attacks.

Which pointer in a program stack gets shifted or overwritten during a successful overflow attack? ESP ECP EIP EBP

EIP A successful overflow attack can change the value of an Extended Instruction Pointer (EIP) saved on the stack.

The command-line equivalent of WinDump is known as what? Wireshark Tcpdump WinDump Netstat

tcpdump Tcpdump is a command-line equivalent of WinDump, which allows the sniffing of network traffic.

Jason is the local network administrator who has been tasked with securing the network from possible DoS attacks. Within the last few weeks, some traffic logs appear to have internal clients making requests from outside the internal LAN. Based on the traffic Jason has been seeing, what action should he take? Throttle network traffic. Update antivirus definitions. Implement egress filtering. Implement ingress filtering.

Implement ingress filtering. Throttling network traffic will slow down a potential DoS attack; however, an ingress filter will check for internal addresses coming in from the public side. This is a good indicator of a spoofed IP.

A man-in-the-middle attack is an attack where the attacking party does which of the following? Infect the client system Infect the server system Insert themselves into an active session Insert themselves into a web application

Insert themselves into an active session

In a DDoS attack, what communications channel is commonly used to orchestrate the attack? Internet Relay Chat (IRC) MSN Messenger ICMP Google Talk

Internet Relay Chat A DDoS attacker commonly uses IRC to communicate with handlers, which in turn send the attack signal to the infected clients (zombies).

Which technology can provide protection against session hijacking? IPsec UDP TCP IDS

Ipsec IPsec provides encryption and other related services that can thwart the threat of session hijacking.

What is a single-button DDoS tool suspected to be used by groups such as Anonymous? Trinoo Crazy Pinger LOIC DoSHTTP

LOIC The DDoS tool Low Orbit Ion Cannon (LOIC) is a single-button utility that is suspected of being used in large-scale DDoS attacks.

Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic? MAC flooding MAC spoofing IP spoofing DOS attack

MAC flooding Bob can launch a MAC flooding attack against the switch, thereby converting the switch into a large hub. If successful, this will allow Bob to sniff all traffic passing through the switch.

Zombies Inc. is looking for ways to better protect their web servers from potential DoS attacks. Their web admin proposes the use of a network appliance that receives all incoming web requests and forwards them to the web server. He says it will prevent direct customer contact with the server and reduce the risk of DoS attacks. What appliance is he proposing? Web proxy IDS Reverse proxy Firewall

Reverse proxy Reverse proxies are implemented to protect the destination resource, not the client or user. In this scenario, a reverse proxy will field all outside requests, thereby preventing direct traffic to the web server and reducing the risk of a DoS attack.

Jennifer is a system administrator who is researching a technology that will secure network traffic from potential sniffing by unauthorized machines. Jennifer is not concerned with the future impact on legitimate troubleshooting. What technology can Jennifer implement? SNMP LDAP SSH FTP

SSH Jennifer can implement a form of encryption for the traffic that she wants to protect from sniffing. Secure Shell traffic would not be readable if captured by a sniffer; however, any legitimate network troubleshooting efforts would also prove more challenging because of packet encryption.

Adding to and removing from a program stack are known as what? Pop and lock Push and pop Stack and pull Plus and minus

Push and pop Adding an item to the stack is known as pushing, and removing an item from the stack is known as popping. Remember that adding and removing occur only at the top.

What common tool can be used for launching an ARP poisoning attack? Cain & Abel Nmap Scooter Tcpdump

Cain & Abel Cain & Abel is a well-known suite of tools used for various pen-testing functions such as sniffing, password cracking, and ARP poisoning.

Julie has sniffed an ample amount of traffic between the targeted victim and an authenticated resource. She has been able to correctly guess the packet sequence numbers and inject packets, but she is unable to receive any of the responses. What does this scenario define? Switched network SSL encryption TCP hijacking Blind hijacking

Blind hijacking The key portion of the question is that Julie is not receiving a response to her injected packets and commands. Although the sequence prediction does relate to TCP hijacking, the best answer is blind hijacking.

Which kind of values is injected into a connection to the host machine in an effort to increment the sequence number in a predictable fashion? Counted Bit Null IP

Null Null values are used to increment the sequence numbers of packets between the victim and the host. The null packets are sent to the host machine in an effort to prepare for desynchronizing the client.

What is the main difference between DoS and DDoS? Scale of attack Number of attackers Goal of the attack Protocols in use

Number of attackers The main difference between the two types of attacks is the number of attackers. The goal is the same and the scale is different but hard to define. Protocols have no bearing and are irrelevant.

Which statement defines session hijacking most accurately? Session hijacking involves stealing a user's login information and using that information to pose as the user later. Session hijacking involves assuming the role of a user through the compromise of physical tokens such as common access cards. Session hijacking is an attack that aims at stealing a legitimate session and posing as that user while communicating with the web resource or host machine. Session hijacking involves only web applications and is specific to stealing session IDs from compromised cookies.

Session hijacking is an attack that aims at stealing a legitamate session and posing as that user while communicating with the web resource or host machine.

What is the most common sign of a DoS attack? Weird messages Rebooting of a system Slow performance Stolen credentials

Slow performance Although any of these options could be symptomatic of a DoS attack, the most common is slow performance.

Network-level hijacking focuses on the mechanics of a connection such as the manipulation of packet sequencing. What is the main focus of web app session hijacking? Breaking user logins Stealing session IDs Traffic redirection Resource DoS

Stealing session IDs Stealing session IDs is the main objective in web session hijacking. Session IDs allow the attacker to assume the role of the legitimate client without the time-consuming task of brute-forcing user logins or sniffing out authentication information.

An ethical hacker sends a packet with a deliberate and specific path to its destination. What technique is the hacker using? IP spoofing Source routing ARP poisoning Host routing

Source routing Source routing specifies the path the packet will take to its destination. Source routing can give an attacker the flexibility to direct traffic around areas that may prevent traffic flow or redirect traffic in an undesired fashion.

Which network device can block sniffing to a single network collision domain, create VLANs, and make use of SPAN ports and port mirroring? Hub Switch Router Bridge

Switch A switch can limit sniffing to a single collision domain, unlike a lesser device such as a hub.

What is an eight-in-one DoS tool that can launch such attacks as land and teardrop? Jolt Targa TFN2K Trinoo

Targa Targa has eight different DoS attacks included in its capabilities. TFN2K and Trinoo are designed to carry out DDoS attacks and be a part of a botnet.

Session fixation is a vulnerability in which of the following? Web applications Networks Software applications Protocols

Web applications

XSS is typically targeted toward which of the following? Web applications Email clients Web browsers Users

Web browsers

What is the generic syntax of a Wireshark filter? protocol.field operator value field.protocol operator value operator.protocol value field protocol.operator value field

protocol.field operator value Wireshark filters use the basic syntax of putting the protocol first followed by the field of interest, the operator to be used, and finally the value to look for (tcp .port == 23).