Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
50 Cards in this Set
- Front
- Back
|
What is the difference between active and passive sniffers? |
Passive- any type of sniffing where traffic is looked at but not altered in any way. Active- traffic is monitored but it also can alter it in some way as determined by the attacking party. |
|
|
What 3 methods can you use to get around switches? |
ARP spoofing MAC duplicating MAC Flooding - ARP spoofing is a common method against the default gateway to capture traffic when using a switched network. - without ARP spoofing and MAC flooding or other techniques then you will not be able to capture traffic on a switches network. - Use ./macof to flood the port to MAC address table. This will move the switch into broadcast mode and allow you to sniff all packets on the network.
|
|
|
What needs to be installed in order to use a sniffer on Windows and Linux platforms? |
WinPCap- Windows Packet Capture Library LibPCap- Linux |
|
|
What are the best options to prevent attackers from sniffing your passwords? |
Kerberos Smart Cards Stanford secure remote password (SRP) |
|
|
How do you defend yourself from ARP Spoofing? |
-placing static ARP entries on servers, workstations, and routers -ARPWALL system -Turning IDS sensors to look for large amounts of ARP traffic on local subnets |
|
|
How would you filter packets for hotmail email messages in wireshark (ethereal)? |
(Http=“login.passport.com”)&&(http contains “POP3”) |
|
|
A command-line version of Wireshark. -Similar to tcpdump |
Tshark |
|
|
Small program with the sole intent of capturing traffic. |
Dumpcap |
|
|
Reads a capture and returns statistics on that file. |
Capinfos |
|
|
Edits or translates the format of capture files. |
Editcap |
|
|
Combines multiple files into one. |
Mergecap |
|
|
Creates a capture file from an ASCII hex dump of packets. |
Text2cap |
|
|
On a switch, each switchport represents a _______. |
Collision Domain |
|
|
Wireless access points function as a _______. |
Hub |
|
|
What mode must be configured to allow an NIC to capture all traffic on the wire? |
Promiscuous mode |
|
|
Which of the following prevents ARP poisoning? |
IP DHCP Snooping |
|
|
Jennifer is a system administrator who is researching a technology that will secure network traffic from potential sniffing by unauthorized machines. Jennifer is not concerned with the future impact on legitimate troubleshooting. What technology can Jennifer implement? |
SSH |
|
|
MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client? |
A reverse ARP request maps to two hosts. |
|
|
Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can bob do to gather all switch traffic? |
MAC Flooding |
|
|
What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts? |
ARP Poisoning |
|
|
What Wireshark filter displays only traffic from 192.168.1.1? |
ip.addr == 192.168.1.1 |
|
|
What common tool can be used for launching an ARP poisoning attack?which co |
Cain & Abel |
|
|
What command launches a CLI version of Wireshark? |
tshark |
|
|
Jennifer is using tcpdump to capture traffic on her network. She would like to save the capture for later review. What command can Jennifer use? |
Tcpdump -w capture.log |
|
|
To filter NetBIOS traffic which port would you filter on? |
139 |
|
|
Wireshark requires a network card to be able to enter which mode to sniff all network traffic? |
Promiscuous Mode |
|
|
Which network device can block sniffing to a single network collision domain, create VLANs, and make use of SPAN ports and port mirroring? |
Switch |
|
|
What device will neither limit the flow of traffic nor have an impact on the effectiveness of sniffing? |
Hub |
|
|
The command-line equivalent of WinDump is known as what? |
TCPdump |
|
|
TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. What tools can be used for passive OS fingerprinting? |
Tcpdump |
|
|
Which layer(s) of the OSI model do sniffers operate on? |
Sniffers operate in both layer 2 and layer 3 of the OSI model |
|
|
NIDS is based on technology similar to what? |
Packet sniffing |
|
|
HIDS is used to monitor activity on what? |
Host |
|
|
What can be used to evade an IDS? |
Encryption |
|
|
Altering a checksum of a packet can be used to do what? |
Evade an NIDS |
|
|
Firewalking is done to accomplish what? |
To analyze a firewall |
|
|
A method for overwhelming an IDS using packets with incorrect TTL values or flags is known as what? |
Insertion |
|
|
How does a fragmentation attack, which takes a packet, breaks it into fragments , and sends only some of the fragments to the target, cause a DoS? |
By exhausting memory by caching the fragments |
|
|
Which of the following uses a database of known attacks? A- signature file B- anomaly C- behavior D- shellcode |
A - signature file |
|
|
An anomaly-based NIDS Is designed to look for wha? |
Deviations from known traffic patterns. |
|
|
What can be used instead of a URL to evade some firewalls? |
IP address |
|
|
Multihomed firewall has a minimum of how many network connections? |
Three |
|
|
A DMZ is created with which of the following? |
A multihomed firewall |
|
|
A firewall is used to separate what? |
Networks |
|
|
In practice a honeypot will be configured how? |
As a duplicate of a real system |
|
|
Which ports does SNMP use to function? |
161-162 |
|
|
Http is typically open on which port in a firewall? |
80 |
|
|
What is a system used as a choke point for traffic? |
Bastion host |
|
|
At which layer of the OSI model does a packet-filtering firewall work? |
Layer 3 of the OSI model The Network layer. |
|
|
What type of firewall analyzed the status of traffic? |
Stateful inspection |
