Samantha was hired to perform an internal security test of XYZ. She quickly realized that all networks are making use of switches instead of traditional hubs. This greatly limits her ability to gather information through network sniffing.
Which of the following techniques can she use to gather information from the switched network or to disable some of the traffic isolation features of the switch? (Choose two)
A. Ethernet Zapping
B. MAC Flooding
C. Sniffing in promiscuous mode
D. ARP Spoofing
In a typical MAC flooding attack,a switch is flooded with packets,each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table.The result of this attack causes the switch to enter a state called failopen mode,in which all incoming packets are broadcast out on all ports (as with a hub),instead of just down the correct port as per normal operation. The principle of ARP spoofing is to send fake,or ‘spoofed’,ARP messages to an Ethernet LAN. These frames contain false MAC addresses,confusing network devices,such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).
Ethereal works best on ____________.
A. Switched networks
B. Linux platforms
C. Networks using hubs
D. Windows platforms
Ethereal is used for sniffing traffic. It will return the best results when used on an unswitched (i.e. hub. network.
The follows is an email header. What address is that of the true originator of the message?
Spoofing can be easily achieved by manipulating the “from” name field,however,it is much more difficult to hide the true source address. The “received from” IP address
188.8.131.52 is the true source of the
Bob wants to prevent attackers from sniffing his passwords on the wired network. Which of the following lists the best options?
C. SMB,SMTP,Smart card
D. Kerberos,Smart card,Stanford SRP
Kerberos,Smart cards and Stanford SRP are techniques where the password never leaves the computer.
Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files?
Tcpflow is a program that captures data transmitted as part of TCP connections (flows),and stores the data in a way that is convenient for protocol analysis or debugging. A program like ‘tcpdump’ shows a summary of packets seen on the wire,but usually doesn’t store the data that’s actually being transmitted. In contrast,tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.
Which of the following display filters will you enable in Ethereal to view the three-way handshake for a connection from host 192.168.0.1?
A. ip == 192.168.0.1 and tcp.syn
B. ip.addr = 192.168.0.1 and syn = 1
C. ip.addr==192.168.0.1 and tcp.flags.syn
D. ip.equals 192.168.0.1 and syn.equals on
When Jason moves a file via NFS over the company’s network, you want to grab a copy of it by sniffing. Which of the following tool accomplishes this?
Filesnarf – sniff files from NFS traffic
Specify the interface to listen on.
-v “Versus” mode. Invert thesenseofmatching,to
select non-matching files.
Specify regular expression for filename matching.
Specifyatcpdump(8)filter expression to selecttraffic to sniff.
Which of the following is not considered to be a part of active sniffing?
A. MAC Flooding
B. ARP Spoofing
C. SMAC Fueling
D. MAC Duplicating
ARP poisoning is achieved in _____ steps
The hacker begins by sending a malicious ARP “reply” (for which there was no previous request) to your router,associating his computer’s MAC address with your IP Address. Now your router thinks the hacker’s computer is your computer. Next,the hacker sends a malicious ARP reply to your computer,associating his MAC Address with the routers IP Address. Now your machine thinks the hacker’s computer is your router. The hacker has now used ARP poisoning to accomplish a MitM attack.
How would you describe a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS’s on a network?
A. Covert Channel
B. Crafted Channel
C. Bounce Channel
D. Deceptive Channel
A covert channel is described as: “any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy.” Essentially,it is a method of communication that is not part of an actual computer system design,but can be used to transfer information to users or system processes that normally would not be allowed access to the information.