Protocol Analysis Set 1

Front 1

The most critical component in network baselining is/are _________.

Back 1

historical baselines

Front 2

Baseline

Back 2

- statistical profile of a certain performance metric - network device or application utilization response time or volume.

Front 3

Particularly helpful in alerting you to the type of cyber atacks that cause significant changes in normal network and application traffic behavior

Back 3

Baselines

Front 4

multi-tiered baselining

Back 4

where the low, average, and high metric lvls are recorded hour-by-hour and day-by-day

Front 5

6 baselining methods and techniques

Back 5

- Top-to-bottom network monitoring
- Application monitoring
- Detailed packet analysis
- Continuous traffic capture
- Threshold alarms
- Packet analysis methodology

Front 6

A solution providing the capability to see the network from a high-lvl, holistic (summary) perspective

Back 6

Top-to-bottom network monitoring

Front 7

What are the five types of application monitoring?

Back 7

Well-known

Web-based

Complex

Custom

Unknown

Front 8

Identifying those applications consuming network resources

Back 8

Application monitoring

Front 9

Application monitoring:

Well-known

Back 9

recognition of well-known apps like HTTP, SMTP/POP, or multimedia, like RTP or SIP

Front 10

Application monitoring:
web-based

Back 10

some client/svr apps like FTP & mail are headed to web-based, using HTTP/HTTPS
needs to be able to distinguish between normal web traffic and these types of apps

Front 11

Application monitoring:

Complex

Back 11

some apps use a range of TCP ports for comms or they encapsulate higher-lvl apps
needs to be able to to ID/aggregate

Front 12

Application monitoring:

Custom

Back 12

recognize, Id and and report any custom app used on the network

Front 13

application monitoring:

Unknown

Back 13

must ID/track extraneous apps, like Microsoft Svr Msg Blk (SMB)for example.

Front 14

Allows the security specialist to identify the specific code being used in the attack and develop a security response to prevent future occurences

Back 14

Detailed Packet-Level Analysis

Front 15

storing complete packet-by-packet net traffic audit trail for several days

Back 15

Continuous traffic capture

Front 16

alerts security specialist to specific metrics like utilization, abnormal app usage or exceeded response times

Back 16

Threshold alarms

Front 17

What 5 components comprise the Packet Analysis Methodology

Back 17

Plan

Deploy

Capture

Analyze

Refine

Front 18

packet analysis methodology:

Plan

Back 18

what are you trying to ID or prove w/ packet analysis?
what type of traffic to capture to help analysis?
what length of time to give the data points for analysis?
what capture tool is best for this analysis?

Front 19

packet analysis methodology:

Deploy

Back 19

where do you need to place to app/device for optimum capture?

Front 20

packet analysis methodology:

Capture

Back 20

process raw data into useable format
decide how to filter/display for analysis

Front 21

packet analysis methodology:

Analyze

Back 21

determine if captured traffic IDs or proves original hypothesis

Front 22

packet analysis methodology:

Refine

Back 22

adjust capture parameters/deployed location to provide better fidelity

Front 23

2 basic categories of protocols

Back 23

Binary & Textual

Front 24

binary protocol

Back 24

transmits cmds/data as binary info

Front 25

What are the 5 Textual transmit commands?

Back 25

HTTP

HTTPS

SMTP

POP

IMAP

Front 26

textual protocol

Back 26

transmits cmds/data as an easily readable format

Front 27

DHCP

Back 27

transmission protocol is UDP

Front 28

Ethernet Header

Back 28

1st 14 bytes of an Ethernet frame
TMAC, SMAC, and next protocol type (or if less than 1500/0x5DC, it's frame length field in bytes)

Front 29

Ethernet Header:

First 6 Bytes: 01:00:0C:CC:CC:CC

Back 29

A value of 01:00:0C:CC:CC:CC in the Target MAC Address indicates a multicast address for Cisco Devices

Front 30

ARP Header

Back 30

15th-42nd/78th Bytes in Ethernet frame
hardware type - (2B) in ethernet, set to 0x0001
protocol type - (2B) 0x0800 is IP,
hardware size - (1B)
protocol size - (1B)
opcode - (2B) 1-rqst, 2-rply, 3-RARP
SMAC - (6B)
SIP - (4B) originator IP
TMAC (6B) 00:00:00:00:00:00 -Request

Set to originator's MAC address-Reply

TIP - (4B) IP of MAC requested for -Request

IP of the request originator- Reply

Front 31

Filtering the ARP header to show all ARP requests

Back 31

arp.opcode == 3

Front 32

IPv4 Header

Back 32

makes up 15 -34B/up to 74 B (20-60B)
IPv-(4b) v4 or v6
IHL-(4b) min 5, max 15
ToS-(1B) default 0x00
TIPL-(2B) min 20, max 65535
ID-(2B) aids in assy of frags
IP flag-(3b) 2, 4, or 8
frag offset-(13b)
TTL-(1B)
next protocol-(1B)
checksum-(2B) checksum on IP header only
SIP-(4B)
TIP-(4B)
options-may or may not appear
padding- pads to next 32-bit boundary

Front 33

10th Byte of IP header common values

Back 33

1 (0x01) - ICMP (L3)
2 (0x02) - IGMP
6 (0x06) - TCP
8 (0x08) - EGP
17 (0x11) - UDP
88 (0x58) - IGRP
89 (0x59) - OSPF

Front 34

IPv6 Header

Back 34

makes up the 15 -54B fixed 40B

IPv-(4b)
traffic class-(8b)
flow label-(20b)
payload length-(2B)
next header-(1B)0x06-TCP, 0x11-UDP,0x3A-ICMPv6
hop limit-(1B)
src addy-(16B)
dest addy-(16B)

Front 35

min MTU for IPv6

Back 35

1280, uses PATH MTU DISCOVERY to ensure route can handle

Front 36

ipv6.nxt == 06

Back 36

shows all IPv6 packets that contain TCP headers in wireshark

Front 37

What 2 things are critical to ensure the Ip packet's integrity is intact upon reassembly?

Back 37

Proper sequencing and
placement of fragments

Front 38

Every fragment must be the same size except _________.

Back 38

the last one

Front 39

ICMP

Back 39

provides error reporting, flow ctrl and 1st-hop gateway direction

Front 40

ICMPv4 Header

Back 40

Type (1B)
Code (1B)
Checksum (2B)
Type 3 and 11 - (4B) unidentified
Type 5 - (4B) redirect addr
Type 0 and 8- ID (2B) Seq # (2B)

Front 41

where is the ICMP Header?

Back 41

fits in packet directly following the IP header

Front 42

two types of ICMP msgs

Back 42

informational and error
0x00 - echo reply; info
0x03 - Destination unreachable; error
0x05 - redirect; error
0x08 - echo request; info
0x0B - TTL exceeded; error

Front 43

Data area of an ICMP error msg must contain__________.

Back 43

original (offending) IP header, including all options and at least 8B of additional data

Front 44

Type 3 error msg codes

Back 44

0 - Network unreachable
1 - Host unreachable
2 - Protocol unreachable
3 - Port unreachable
13 - Communication administratively prohibited

Front 45

ICMP filtering in wireshark

Back 45

icmp.type==3 and icmp.code==3
would show all dest unreachable/port unreachable error

Front 46

TCP header uses ________ and _________ to maintain order and assure reciept.

Back 46

Seq #
Acknowledgement #

Front 47

TCP header contains 11 fields:

Back 47

Src port (2B)
Dest port (2B)
Seq # (4B)
Acknowledgement #(4B)
Data offset (4b)
Reserved (4b)
Ctrl flag (1B)
window size (2B) {max size of window size:FFFF before more data can be sent to host)
TCP checksum (2B)
Urgent pntr (2B) points to last byte of URG data under ctrl flag

Front 48

Ctrl flags

Back 48

2-URG; moves to top of stack to be pushed up
1-ACK; ID's ack field as significant, may or may not contain data, if so, stored in receiver's buffer

--------------------------------------------------------------------
8-PSH; push up the stack as soon as possible
4-RST; the port is closed, reset connex
2-SYN; synchronize Seq #s
1-FIN; sender has no more data to send

Front 49

4-way graceful teardown

Back 49

either side can start this:
Client - FIN/ACK
Svr - ACK
Svr - FIN/ACK
Client - ACK

Front 50

phantom bit

Back 50

(1B) (0x0001) used to update SEQ# and ACK# exchange when no data is sent

SYNs and FINs

Front 51

TCP Header exploits

Back 51

OS enumeration by ISN
service enumeration through TCP ports
TCP session hijacking
customizing flag settings to bypass ACL, aid in enumeration through filtering devices,and DoS exploitation

Front 52

UDP

Back 52

connectionless, unreliable transport mechanism
does not mean UDP comms are unreliable, upper layer protocols assume these responsibilities

Front 53

UDP header

Back 53

Src Port (2B)
Dest Port (2B)
UDP msg length (2B)
UDP checksum (2B) optional, 0 if not used

Front 54

UDP filtering in wireshark

Back 54

udp.port == 53; shows all DNS queries
udp.srcport == 53; shows all DNS responses

Front 55

DHCP

Back 55

based on Bootstrap protocol
filter in wireshark using bootp, not DHCP
2 types: dynamic and manual

Front 56

dynamic DHCP

Back 56

svr assigns IP to client for limited time (lease)

Front 57

manual DHCP

Back 57

client's IP assigned by admin, DHCP just conveys the addr to client

Front 58

DORA

Back 58

DHCP assignment process
1. client broadcasts DISCOVER msg
2. all DHCP svrs hearing, send OFFER
3. client REQUESTS from one svr, denying any others
4. DHCP svr broadcasts ACKNOWLEDGEMENT msg

Front 59

DHCP NAK

Back 59

Svr to client
network addr is incorrect (new subnet,lease expired)

Front 60

DHCP Decline

Back 60

client to svr
network addr already in use

Front 61

DHCP Release

Back 61

client to svr
client gives up addr, cancelling remaining lease

Front 62

DHCP Inform

Back 62

client to svr
asks for only local config items
client has externally config'd addr

Front 63

DHCP filtering in wireshark

Back 63

bootp; shows all DHCP traffic
udp.port == 67 or udp.port == 68; shows all DHCP traffic

Front 64

Active FTP

Back 64

UDP ports 20 (data) 21 (cmds)
user initiates ctrl connex, svr does the rest (svr pushes data)

Front 65

Passive FTP

Back 65

UDP ports 21 (cmds)
user initiates ctrl connex, opens data channel (goes and gets) on svr's advertised port
more secure, good for firewalls/ACLs (SYN/ACK traffic)

Front 66

FTP:
Bye

Back 66

ASCII:
QUIT
terminates session

Front 67

FTP:
dir

Back 67

ASCII:
LIST
detailed version of ls cmd (ls -al)

Front 68

FTP:
get

Back 68

ASCII:
RETR
svr transfers copy of file to requester

Front 69

FTP:
ls

Back 69

ASCII:
NLST
list contents of specified dir, files only

Front 70

FTP:
mkdir

Back 70

ASCII:
MKD
creates dir on FTP svr

Front 71

FTP:
put

Back 71

ASCII:
STOR (not STORE)
svr stores data sent to it as a file, over writes if already there

Front 72

HTTP

Back 72

application-lvl protocol over TCP port 80
generic, stateless; used for distributing HTML docs

Front 73

HTTP communication

Back 73

1. Client establishes TCP connex using given URL (3-way handshake)
2. Client sends HTTP request
3. Svr provides document
4. TCP connex closed

Front 74

HTTP cmd:
GET

Back 74

a rqst to retrieve whatever info is ID'd by recipient

Front 75

HTTP cmd:
HEAD

Back 75

Same as GET, except svr must not returna msg-body, only meta-info

Front 76

HTTP cmd:
POST (think msgs)

Back 76

used to request the server to accept enclosed data as a new subordinate of the svr resource ID'd in rqst
- post a msg to BBS, newsgrp, mx list
- submitting a form to a data handling process

Front 77

HTTP cmd:
PUT (think files)

Back 77

rqsts enclosed item to be stored under ID'd svr resource

Front 78

GET data field:
Request start line

Back 78

contains rqst method, desired URL and HTTP version

Front 79

GET data field:
ACCEPT

Back 79

specifies certain media types that are acceptable for response

Front 80

GET data field:
ACCEPT CHARSET

Back 80

ID's which character sets are acceptable
if * is here, all are accepted

Front 81

GET data field:
ACCEPT ENCODING

Back 81

ID's encoding method client will accept

Front 82

GET data field:
ACCEPT-LANGUAGE

Back 82

ID's language client will accept

Front 83

GET data field:
COOKIE

Back 83

used to ID user to a svr

Front 84

GET data field:
USER-AGENT

Back 84

ID's browser app used by client

Front 85

GET data field:
HOST

Back 85

ID's URL client is rqsting

Front 86

Wireshark filter:
Show all HTTP error msgs

Back 86

http.response.code>399
others:
1XX-info
2XX-success
3XX-redirect
4XX-client error
5XX-svr error

Front 87

HTTPS

Back 87

uses port 443
same comm rules and syntax as HTTP
usually uses HTTPSURL prefix
ID's a secure connex w/padlock symbol

Front 88

SSL

Back 88

client can verify ID of svr
provides authentication, integrity, and confidentiality
x.509

Front 89

DNS

Back 89

client rqsts IP addr for a known FQDN
or
FQDN for a known IP addr

Front 90

DNS header

Back 90

Transaction ID (2B) matches rqsts/response packets
Flags (2B) type (0000-7FFF=query, 8000-FFFF=response)
Questions (2B) # of question records in rqst
Answer Records (2B) # of answer records in response

Front 91

DNS query:
Iterative

Back 91

svr to svr query when 1st svr does not know answer

Front 92

DNS query:
Recursive

Back 92

client to DNS and back to client query

Front 93

DNS reply

Back 93

responds to query
all smae fields as query, also includesanswer field at end of packet

Front 94

DNS record type:
A

Back 94

Mapping

Front 95

DNS record type:
CNAME

Back 95

canonical name (mapping) alias

Front 96

DNS record type:
MX

Back 96

mail records

Front 97

DNS record type:
AXFR

Back 97

zone tranfer

Front 98

DNS record type:
PTR

Back 98

pointer record
reverse lookup

Front 99

DNS zone transfer

Back 99

used between DNS svrs to keep DNS tables up to date
- when starting DNS service on secondary
- when refresh time expires
- when changes are saved to primary zone file
secondary svrs initiate zone transfers, primaries answer

Front 100

If in-addr.arpa is in ASCII portion of Wireshark, then...

Back 100

DNS is active in that packet

Front 101

LDAP

Back 101

port 389
x.500