Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
101 Cards in this Set
- Front
- Back
The most critical component in network baselining is/are _________. |
historical baselines
|
|
Baseline |
- statistical profile of a certain performance metric - network device or application utilization response time or volume. |
|
Particularly helpful in alerting you to the type of cyber atacks that cause significant changes in normal network and application traffic behavior |
Baselines |
|
multi-tiered baselining |
where the low, average, and high metric lvls are recorded hour-by-hour and day-by-day
|
|
6 baselining methods and techniques |
- Top-to-bottom network monitoring |
|
A solution providing the capability to see the network from a high-lvl, holistic (summary) perspective |
Top-to-bottom network monitoring |
|
What are the five types of application monitoring? |
Well-known Web-based Complex Custom Unknown |
|
Identifying those applications consuming network resources |
Application monitoring |
|
Application monitoring:
Well-known |
recognition of well-known apps like HTTP, SMTP/POP, or multimedia, like RTP or SIP |
|
Application monitoring: |
some client/svr apps like FTP & mail are headed to web-based, using HTTP/HTTPS
needs to be able to distinguish between normal web traffic and these types of apps |
|
Application monitoring:
|
some apps use a range of TCP ports for comms or they encapsulate higher-lvl apps |
|
Application monitoring:
|
recognize, Id and and report any custom app used on the network
|
|
application monitoring:
|
must ID/track extraneous apps, like Microsoft Svr Msg Blk (SMB)for example. |
|
Allows the security specialist to identify the specific code being used in the attack and develop a security response to prevent future occurences |
Detailed Packet-Level Analysis |
|
storing complete packet-by-packet net traffic audit trail for several days
|
Continuous traffic capture |
|
alerts security specialist to specific metrics like utilization, abnormal app usage or exceeded response times |
Threshold alarms |
|
What 5 components comprise the Packet Analysis Methodology |
Plan Deploy Capture Analyze Refine |
|
packet analysis methodology:
|
what are you trying to ID or prove w/ packet analysis? |
|
packet analysis methodology:
|
where do you need to place to app/device for optimum capture?
|
|
packet analysis methodology:
|
process raw data into useable format
decide how to filter/display for analysis |
|
packet analysis methodology:
|
determine if captured traffic IDs or proves original hypothesis
|
|
packet analysis methodology:
|
adjust capture parameters/deployed location to provide better fidelity
|
|
2 basic categories of protocols |
Binary & Textual |
|
binary protocol |
transmits cmds/data as binary info |
|
What are the 5 Textual transmit commands? |
HTTP HTTPS SMTP POP IMAP |
|
textual protocol |
transmits cmds/data as an easily readable format |
|
DHCP |
transmission protocol is UDP |
|
Ethernet Header |
1st 14 bytes of an Ethernet frame |
|
Ethernet Header: First 6 Bytes: 01:00:0C:CC:CC:CC |
A value of 01:00:0C:CC:CC:CC in the Target MAC Address indicates a multicast address for Cisco Devices |
|
ARP Header |
15th-42nd/78th Bytes in Ethernet frame Set to originator's MAC address-Reply TIP - (4B) IP of MAC requested for -Request IP of the request originator- Reply
|
|
Filtering the ARP header to show all ARP requests |
arp.opcode == 3 |
|
IPv4 Header |
makes up 15 -34B/up to 74 B (20-60B) |
|
10th Byte of IP header common values
|
1 (0x01) - ICMP (L3) |
|
IPv6 Header |
makes up the 15 -54B fixed 40B IPv-(4b) |
|
min MTU for IPv6 |
1280, uses PATH MTU DISCOVERY to ensure route can handle |
|
ipv6.nxt == 06
|
shows all IPv6 packets that contain TCP headers in wireshark
|
|
What 2 things are critical to ensure the Ip packet's integrity is intact upon reassembly? |
Proper sequencing and |
|
Every fragment must be the same size except _________. |
the last one |
|
ICMP |
provides error reporting, flow ctrl and 1st-hop gateway direction |
|
ICMPv4 Header
|
Type (1B) |
|
where is the ICMP Header? |
fits in packet directly following the IP header
|
|
two types of ICMP msgs |
informational and error |
|
Data area of an ICMP error msg must contain__________.
|
original (offending) IP header, including all options and at least 8B of additional data
|
|
Type 3 error msg codes |
0 - Network unreachable
1 - Host unreachable 2 - Protocol unreachable 3 - Port unreachable 13 - Communication administratively prohibited |
|
ICMP filtering in wireshark
|
icmp.type==3 and icmp.code==3 |
|
TCP header uses ________ and _________ to maintain order and assure reciept.
|
Seq #
Acknowledgement # |
|
TCP header contains 11 fields: |
Src port (2B) |
|
Ctrl flags
|
2-URG; moves to top of stack to be pushed up -------------------------------------------------------------------- |
|
4-way graceful teardown |
either side can start this: |
|
phantom bit |
(1B) (0x0001) used to update SEQ# and ACK# exchange when no data is sent
SYNs and FINs |
|
TCP Header exploits
|
OS enumeration by ISN |
|
UDP
|
connectionless, unreliable transport mechanism |
|
UDP header
|
Src Port (2B) |
|
UDP filtering in wireshark |
udp.port == 53; shows all DNS queries
udp.srcport == 53; shows all DNS responses |
|
DHCP
|
based on Bootstrap protocol |
|
dynamic DHCP
|
svr assigns IP to client for limited time (lease)
|
|
manual DHCP |
client's IP assigned by admin, DHCP just conveys the addr to client |
|
DORA
|
DHCP assignment process |
|
DHCP NAK
|
Svr to client |
|
DHCP Decline
|
client to svr
network addr already in use |
|
DHCP Release
|
client to svr |
|
DHCP Inform
|
client to svr |
|
DHCP filtering in wireshark
|
bootp; shows all DHCP traffic
udp.port == 67 or udp.port == 68; shows all DHCP traffic |
|
Active FTP |
UDP ports 20 (data) 21 (cmds) |
|
Passive FTP |
UDP ports 21 (cmds) |
|
FTP:
Bye |
ASCII:
QUIT terminates session |
|
FTP:
dir |
ASCII:
LIST detailed version of ls cmd (ls -al) |
|
FTP:
get |
ASCII:
RETR svr transfers copy of file to requester |
|
FTP:
ls |
ASCII:
NLST list contents of specified dir, files only |
|
FTP:
mkdir |
ASCII:
MKD creates dir on FTP svr |
|
FTP:
put |
ASCII:
STOR (not STORE) svr stores data sent to it as a file, over writes if already there |
|
HTTP
|
application-lvl protocol over TCP port 80
generic, stateless; used for distributing HTML docs |
|
HTTP communication
|
1. Client establishes TCP connex using given URL (3-way handshake) |
|
HTTP cmd:
GET |
a rqst to retrieve whatever info is ID'd by recipient |
|
HTTP cmd:
HEAD |
Same as GET, except svr must not returna msg-body, only meta-info |
|
HTTP cmd:
POST (think msgs) |
used to request the server to accept enclosed data as a new subordinate of the svr resource ID'd in rqst |
|
HTTP cmd:
PUT (think files) |
rqsts enclosed item to be stored under ID'd svr resource |
|
GET data field: |
contains rqst method, desired URL and HTTP version |
|
GET data field:
ACCEPT |
specifies certain media types that are acceptable for response |
|
GET data field: |
ID's which character sets are acceptable |
|
GET data field:
ACCEPT ENCODING |
ID's encoding method client will accept |
|
GET data field: |
ID's language client will accept |
|
GET data field:
COOKIE |
used to ID user to a svr |
|
GET data field:
USER-AGENT |
ID's browser app used by client
|
|
GET data field:
HOST |
ID's URL client is rqsting
|
|
Wireshark filter:
Show all HTTP error msgs |
http.response.code>399 |
|
HTTPS |
uses port 443 |
|
SSL
|
client can verify ID of svr |
|
DNS
|
client rqsts IP addr for a known FQDN |
|
DNS header
|
Transaction ID (2B) matches rqsts/response packets |
|
DNS query:
Iterative |
svr to svr query when 1st svr does not know answer |
|
DNS query: |
client to DNS and back to client query
|
|
DNS reply
|
responds to query |
|
DNS record type:
A |
Mapping
|
|
DNS record type:
CNAME |
canonical name (mapping) alias
|
|
DNS record type:
MX |
mail records
|
|
DNS record type:
AXFR |
zone tranfer |
|
DNS record type:
PTR |
pointer record
reverse lookup |
|
DNS zone transfer
|
used between DNS svrs to keep DNS tables up to date |
|
If in-addr.arpa is in ASCII portion of Wireshark, then... |
DNS is active in that packet |
|
LDAP |
port 389 |