Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
97 Cards in this Set
- Front
- Back
The most critical component in network baselining is/are _________.
|
historical baselines
|
|
baseline
|
- statistical profile of a network, network device, application utilization response time or volume.
- critical 1st step in IDing a network problem - helps in alerting to the types of cyber-attacks that cause changes in normal net/app traffic behavoir |
|
In detecting security breaches, the most beneficial data sources will be those that give you these 2 things
|
- detailed network utilization
- application volume of the network and its applications |
|
multi-tiered baselining
|
where the low, average, and high metric lvls are recorded hour-by-hour and day-by-day
|
|
6 baselining methods and techniques
|
- top-to-bottom network monitoring
- application monitoring - detailed packet analysis - continuous traffic capture - threshold alarms - packet analysis methodology |
|
a solution providing the capability to see the network from a high-lvl, holistic (summary) perspective
|
top-to-bottom network monitoring
|
|
identifying those applications consuming network resources
|
application monitoring
|
|
application monitoring:
well-known |
recognition of well-known apps like HTTP, SMTP/POP, or multimedia, like RTP or SIP
|
|
application monitoring:
web-based |
some client/svr apps like FTP & mail are headed to web-based, using HTTP/HTTPS
needs to be able to distinguish between normal web traffic and these types of apps |
|
application monitoring:
complex |
some apps use a range of TCP ports for comms or they encapsulate higher-lvl apps
needs to be able to to ID/aggregate |
|
application monitoring:
custom |
recognize, Id and and report any custom app used on the network
|
|
application monitoring:
unknown |
must ID/track extraneous apps, like Microsoft Svr Msg Blk (SMB)for example.
|
|
allows security specialist to ID specific code used in attack and develop response/prevent future attack
|
detailed packet analysis
|
|
storing complete packet-by-packet net traffic audit trail for several days
|
continuous traffic capture
|
|
alerts security specialist to specific metrics like utilization, abnormal app usage or exceeded response times
|
threshold alarms
|
|
packet analysis methodology:
plan |
answers things like:
what are you trying to ID or prove w/ packet analysis? what type of traffic to capture to help analysis? what length of time to give the data points for analysis? what capture tool is best for this analysis? |
|
packet analysis methodology:
deploy |
where do you need to place to app/device for optimum capture?
|
|
packet analysis methodology:
capture |
process raw data into useable format
decide how to filter/display for analysis |
|
packet analysis methodology:
analyze |
determine if captured traffic IDs or proves original hypothesis
|
|
packet analysis methodology:
refine |
adjust capture parameters/deployed location to provide better fidelity
|
|
2 basic categories of protocols
|
binary
textual |
|
binary protocol
|
transmits cmds/data as binary info
|
|
textual protocol
|
transmits cmds/data as an easily readable format
HTTP/HTTPS, SMTP, POP, IMAP (if it's not one of these in this mod, it's binary) |
|
DHCP
|
transmission protocol is UDP
|
|
Ethernet Header
|
1st 14 bytes of an Ethernet frame
TMAC, SMAC, and next protocol type (or if less than 1500/0x5DC, it's frame length field in bytes) |
|
01:00:0C:CC:CC:CC
|
Cisco multicast address often used with CDP
|
|
ARP Header
|
15-42/80 Bytes in Ethernet frame
hardware type - (2B) in ethernet, set to 0x0001 protocol type - (2B) 0x0800 is IP, hardware size - (1B) protocol size - (1B) opcode - (2B) 1-rqst, 2-rply, 3-RARP SMAC - (6B) SIP - (4B) originator IP TMAC (6B) 00:00:00:00:00:00 TIP - (4B) known IP MAC is requested for |
|
IPv4 Header
|
makes up 15 -34B/up to 74 B (20-60B)
IPv-(4b) v4 or v6 IHL-(4b) min 5, max 15 ToS-(1B) default 0x00 TIPL-(2B) min 20, max 65535 ID-(2B) aids in assy of frags IP flag-(3b) 2, 4, or 8 frag offset-(13b) TTL-(1B) next protocol-(1B) checksum-(2B) checksum on IP header only SIP-(4B) TIP-(4B) options-may or may not appear padding- pads to next 32-bit boundary |
|
10th Byte of IP header common values
|
1 (0x01) - ICMP (L3)
2 (0x02) - IGMP 6 (0x06) - TCP 8 (0x08) - EGP 17 (0x11) - UDP 88 (0x58) - IGRP 89 (0x59) - OSPF |
|
IPv6 Header
|
fixed 40B size
IPv-(4b) traffic class-(8b) flow label-(20b) payload length-(2B) next header-(1B)0x06-TCP, 0x11-UDP,0x3A-ICMPv6 hop limit-(1B) src addy-(16B) dest addy-(16B) |
|
min MTU for IPv6
|
1280, uses PATH MTU DISCOVERY to ensure route can handle
|
|
ipv6.nxt == 06
|
shows all IPv6 packets that contain TCP headers in wireshark
|
|
What 2 things are critical to ensure the Ip packet's integrity is intact upon reassembly?
|
Proper sequencing and
placement of fragments |
|
Every fragment must be the same size except _________.
|
the last one
|
|
ICMP
|
provides error reporting, flow ctrl and 1st-hop gateway direction
|
|
ICMPv4 Header
|
Type (1B)
Code (1B) Checksum (2B) Type 3 and 11 - (4B) unidentified Type 5 - (4B) redirect addr Type 0 and 8- ID (2B) Seq # (2B) |
|
where is the ICMP Header?
|
fits in packet directly following the IP header
|
|
two types of ICMP msgs
|
informational and error
0x00 - echo reply; info 0x03 - Destination unreachable; error 0x05 - redirect; error 0x08 - echo request; info 0x0B - TTL exceeded; error |
|
Data area of an ICMP error msg must contain__________.
|
original (offending) IP header, including all options and at least 8B of additional data
|
|
Type 3 error msg codes
|
0 - Network unreachable
1 - Host unreachable 2 - Protocol unreachable 3 - Port unreachable 13 - Communication administratively prohibited |
|
ICMP filtering in wireshark
|
icmp.type==3 and icmp.code==3
would show all dest unreachable/port unreachable error |
|
TCP header uses ________ and _________ to maintain order and assure reciept.
|
Seq #
Acknowledgement # |
|
TCP header contains 11 fields:
|
Src port (2B)
Dest port (2B) Seq # (4B) Acknowledgement #(4B) Data offset (4b) Reserved (4b) Ctrl flag (1B) window size (2B) {max size of window size:FFFF before more data can be sent to host) TCP checksum (2B) Urgent pntr (2B) points to last byte of URG data under ctrl flag |
|
Ctrl flags
|
2-URG; moves to top of stack to be pushed up
1-ACK; ID's ack field as significant, may or may not contain data, if so, stored in receiver's buffer 8-PSH; push up the stack as soon as possible 4-RST; the port is closed, reset connex 2-SYN; synchronize Seq #s 1-FIN; sender has no more data to send |
|
4-way graceful teardown
|
either side can start this:
Client - FIN/ACK Svr - ACK Svr - FIN/ACK Client - ACK |
|
phantom bit
|
(1B) (0x0001) used to update SEQ# and ACK# exchange when no data is sent
|
|
TCP Header exploits
|
OS enumeration by ISN
service enumeration through TCP ports TCP session hijacking customizing flag settings to bypass ACL, aid in enumeration through filtering devices,and DoS exploitation |
|
UDP
|
connectionless, unreliable transport mechanism
does not mean UDP comms are unreliable, upper layer protocols assume these responsibilities |
|
UDP header
|
Src Port (2B)
Dest Port (2B) UDP msg length (2B) UDP checksum (2B) optional, 0 if not used |
|
UDP filtering in wireshark
|
udp.port == 53; shows all DNS queries
udp.srcport == 53; shows all DNS responses |
|
DHCP
|
based on Bootstrap protocol
filter in wireshark using bootp, not DHCP 2 types: dynamic and manual |
|
dynamic DHCP
|
svr assigns IP to client for limited time (lease)
|
|
manual DHCP
|
client's IP assigned by admin, DHCP just conveys the addr
|
|
DORA
|
DHCP assignment process
1. client broadcasts DISCOVER msg 2. all DHCP svrs hearing, send OFFER 3. client REQUESTS from one svr, denying any others 4. DHCP svr broadcasts ACKNOWLEDGEMENT msg |
|
DHCP NAK
|
Svr to client
network addr is incorrect (new subnet,lease expired) |
|
DHCP Decline
|
client to svr
network addr already in use |
|
DHCP Release
|
client to svr
client gives up addr, cancelling remaining lease |
|
DHCP Inform
|
client to svr
asks for only local config items client has externally config'd addr |
|
DHCP filtering in wireshark
|
bootp; shows all DHCP traffic
udp.port == 67 or udp.port == 68; shows all DHCP traffic |
|
Active FTP
|
UDP ports 20 (data) 21 (cmds)
user initiates ctrl connex, svr does the rest (svr pushes data) |
|
Passive FTP
|
UDP ports 21 (cmds)
user initiates ctrl connex, opens data channel (goes and gets) on svr's advertised port more secure, good for firewalls/ACLs (SYN/ACK traffic) |
|
FTP:
Bye |
ASCII:
QUIT terminates session |
|
FTP:
dir |
ASCII:
LIST detailed version of ls cmd (ls -al) |
|
FTP:
get |
ASCII:
RETR svr transfers copy of file to requester |
|
FTP:
ls |
ASCII:
NLST list contents of specified dir, files only |
|
FTP:
mkdir |
ASCII:
MKD creates dir on FTP svr |
|
FTP:
put |
ASCII:
STOR (not STORE) svr stores data sent to it as a file, over writes if already there |
|
HTTP
|
application-lvl protocol over TCP port 80
generic, stateless; used for distributing HTML docs |
|
HTTP communication
|
1. Client establishes TCP connex using given URL (3-way handshake)
2. Client sends HTTP request 3. Svr provides document 4. TCP connex closed |
|
HTTP cmd:
GET |
a rqst to retrieve whatever info is ID'd by recipient
|
|
HTTP cmd:
HEAD |
Same as GET, except svr must not returna msg-body, only meta-info
|
|
HTTP cmd:
POST (think msgs) |
used to request the server to accept enclosed data as a new subordinate of the svr resource ID'd in rqst
- post a msg to BBS, newsgrp, mx list - submitting a form to a data handling process |
|
HTTP cmd:
PUT (think files) |
rqsts enclosed item to be stored under ID'd svr resource
|
|
GET data field:
Request start line |
contains rqst method, desired URL and HTTP version
|
|
GET data field:
ACCEPT |
specifies certain media types that are acceptable for response
|
|
GET data field:
ACCEPT CHARSET |
ID's which character sets are acceptable
if * is here, all are accepted |
|
GET data field:
ACCEPT ENCODING |
ID's encoding method client will accept
|
|
GET data field:
ACCEPT-LANGUAGE |
ID's language client will accept
|
|
GET data field:
COOKIE |
used to ID user to a svr
|
|
GET data field:
USER-AGENT |
ID's browser app used by client
|
|
GET data field:
HOST |
ID's URL client is rqsting
|
|
Wireshark filter:
Show all HTTP error msgs |
http.response.code>399
others: 1XX-info 2XX-success 3XX-redirect 4XX-client error 5XX-svr error |
|
HTTPS
|
uses port 443
same comm rules and syntax as HTTP usually uses HTTPSURL prefix ID's a secure connex w/padlock symbol |
|
SSL
|
client can verify ID of svr
provides authentication, integrity, and confidentiality x.509 |
|
DNS
|
client rqsts IP addr for a known FQDN
or FQDN for a known IP addr |
|
DNS header
|
Transaction ID (2B) matches rqsts/response packets
Flags (2B) type (0000-7FFF=query, 8000-FFFF=response) Questions (2B) # of question records in rqst Answer Records (2B) # of answer records in response |
|
DNS query:
Iterative |
svr to svr query when 1st svr does not know answer
|
|
DNS query:
Recursive |
client to DNS and back to client query
|
|
DNS reply
|
responds to query
all smae fields as query, also includesanswer field at end of packet |
|
DNS record type:
A |
Mapping
|
|
DNS record type:
CNAME |
canonical name (mapping) alias
|
|
DNS record type:
MX |
mail records
|
|
DNS record type:
AXFR |
zone tranfer
|
|
DNS record type:
PTR |
pointer record
reverse lookup |
|
DNS zone transfer
|
used between DNS svrs to keep DNS tables up to date
- when starting DNS service on secondary - when refresh time expires - when changes are saved to primary zone file secondary svrs initiate zone transfers, primaries answer |
|
If in-addr.arpa is in ASCII portion of Wireshark, then...
|
DNS is active in that packet
|
|
LDAP
|
port 389
x.500 |