Network Attacks

Question 1

Occurs when one machine is continually flooding a victim with requests for sevices

Answer 1

Denial of Service (DoS) Attack

Question 2

A specific type of DoS attack that occurs when an attacker initiates multiple TCP sessions, but never complete those sessions

Answer 2

TCP SYN Flood

Question 3

Occurs when an attacker pings a subnet broadcast with a spoofed source IP, making the victimized server appear as the source

Answer 3

Smurf Attack (ICMP Flood)

Question 4

Occurs when an attacker uses many computers all at the same time, asking for access to a single server

Answer 4

Distributed Denial of Service (DDoS) Attack

Question 5

Botnet - Collection of compromised computers

Zombie - Any one of the individually compromised computers

Question 6

A network attack technique that attempts to compromise the security of a network switch by attempting to overflow the switch’s MAC table

Answer 6

MAC Flooding

Question 7

Normally, a switch utilizes its MAC table to associate switchports with connected device MAC address

Question 8

Occurs when an attacker captures sensitive data by forcing the switch to broadcast traffic

Answer 8

Data Snooping

Question 9

Arises from MAC flooding, causing a DoS attack by overwhelming the network with unnecessary traffic

Answer 9

Disrupting Service

Question 10

Bypassing Security Measures

Answer 10

MAC flooding can bypass security measures like MAC address filtering

Question 11

To secure your networks you should:

Answer 11

Use anomaly-based Intrusion Detection System (IDS)

Configure port security to limit MAC addresses per port

Set MAC address limits per switchport

Implement VLANs to segregate traffic

Question 12

A fundamental concept in IP networking that is used to map an IP address to MAC addresses on a local area network

Answer 12

Address Resolution Protocol (ARP)

Question 13

An attack wherein an attacker sends falsified ARP messages over a LAN | attacker aims to associate their MAC address with a target IP address

Answer 13

ARP Spoofing

Question 14

ARP spoofing can be used to initiate an on-path attack inside of a Layer 2 network

Question 15

A form of attack that corrupts the ARP cache (ARP table) in the network

Answer 15

ARP Poisoning

Question 16

ARP poisoning allows an attacker to alter the network traffic flow, and enable data interception, session hijacking, or Dos attack

Question 17

ARP Spoofing - Conducts a more targeted attack

ARP Poisoning - Target all devices in a LAN

Question 18

How to detect ARP attacks?

Answer 18

Use ARP monitoring tools to track ARP address mappings

Alert network admins of unusual ARP traffic patterns

Configure IDSs to detec traffic anomalies

Question 19

How to prevent ARP spoofing and ARP poisoning?

Answer 19

Static ARP Entries - Manually inputting ARP mappings to prevent spoofing

Dynamic ARP Inspection - Switches inspect ARP packets, dropping suspicious mappings based on trusted MAC-IP pairs

Network Segmentation - Dividing the network into smaller segments limits the impact of ARP attacks and simplifies network management

VPNs or Encryption Technologies - VPN and encryption safeguard data against alterations from successful ARP spoofing

Question 20

Used to partition any broadcast domain and isolate it from the rest of the network at the data link layer (Layer 2) of the OSI model

Answer 20

Virtual Local Area Network (VLAN)

Question 21

Layer 3 routing is used, enabling application of access control lists to segregate and filter traffic between VLANs efficiently

Answer 21

As a network penetration tester, breaking out of a VLAN from a user’s workstation is necessary to access sensitive network areas

Question 22

A technique that exploits a misconfiguration to direct traffic to a different VLAN without proper authorization | Double Tagging, switch spoofing, mac table overflow attack

Answer 22

VLAN Hopping

Question 23

A method where the attacker tries to reach a different VLAN using vulnerabilities in the trunk port configuration

Answer 23

Double Tagging

Question 24

Inner tag - True destination

Outer tag - Native VLAN

Question 25

One where commands are sent to the victim, but the attacker or pentester does not get to see any of the responses

Answer 25

Blind Attack

Question 26

The other reason for using double tagging is when obtaining a response back is not necessarily required

Answer 26

DoS or Stress Testing Attack

Question 27

Occurs when an attacker attempts to use the Dynamic Trunking Protocol (DTP) to negotiate a trunk port with a switch

Answer 27

Switch Spoofing

Question 28

To prevent a switch spoofing attack:

Answer 28

Always configure switch ports to have dynamic switch port modes disabled by default

Question 29

Allows VLANs to no longer be enforced

Answer 29

MAC Table Overflow Attack

Question 30

Switch - Selectively transmits frames Hub - Repeats every frame it receives

Question 31

A fundamental component of the Internet that is responsible for translating human-freindly domain names into IP addresses

Answer 31

Domain Name System (DNS)

Question 32

Involves corrupting DNS resolver cache with false information to redirect traffic

Answer 32

DNS Cache Poisoning (DNS Spoofing)

Question 33

How to prevent DNS cache poisoning:

Answer 33

Utilize DNS security extensions (DNSSEC) Implement secure network configurations and firewalls

Question 34

An attack is which the attacker exploits the DNS resolution process to overwhelm a target system with DNS response traffic

Answer 34

DNS Amplification Attack

Question 35

Involves using the DNS protocol to encapsulate non-DNS traffic to attempt to bypass the organization's firewall rules

Answer 35

DNS Tunneling

Question 36

Involves changing the registration of a domain name without the permission of the original registrant

Answer 36

Domain Hijacking (Domain Theft)

Question 37

How to prevent domain hijacking:

Answer 37

Conduct regular updates Ensure that account registration info is secure Use domain registry lock services

Question 38

An attack in which the attacker tries to get a copy of the entire DNS zone data by pretending to be an authorized system

Answer 38

DNS Zone Transfer Attacks

Question 39

Attack where the attacker or penester places their workstation between two hosts to capture, monitor, and relay communications

Answer 39

On-path Attack

Question 40

Occurs when an attacker captures valid data and repeats it either immediately or with a delay

Answer 40

Replay Attack

Question 41

Occurs when the attacker is able to insert themselves between two hosts and become part of the conversation

Answer 41

Relay Attack

Question 42

Replay - Data is captured and directly passed on Relay - Data is intercepted, modified, and then passed on

Question 43

Network devices are identified using the hardware interface MAC address and their IP address

Question 44

Unauthorized device or service on a corporate or private network that allows unauthorized individuals to connect to that network

Answer 44

Rogue Devices

Question 45

Process of identifying and removing machines on the network that are not supposed to be there

Answer 45

Rogue System Detection

Question 46

What is a rogue system?

Answer 46

network taps wireless access point (WAP) servers wired and wireless clients software smart appliances

Question 47

Physical devices that is attached to cabling to record packets passing over the network segment

Answer 47

Network Tap

Question 48

Device that can be connected to the network and extend the physical network into the wireless spectrum

Answer 48

Wireless Access Point (WAP)

Question 49

How can you figure out what rogue device there are and how do you detect them?

Answer 49

Visual inspection of ports and switches - ensure that an attacker didn't install additional equipment or counterfeit equipment with fake asset tags. Conduct monthly or quarterly inventories Conduct network mappings and host discovery - Using enumeration scanners can identify hosts via banner grabbing or fingerprinting of devices across the network Wireless monitoring (Wireless sniffing and discovery) - This is used to find unknown or unidentifiable service set identifiers (SSIDs) showing up within range of the office Packet sniffing and traffic flow - This is used to identify the use of unauthorized protocols on the network and unusual peer-to-peer communications flows NAC and intrusion detection - Automated network scanning and defense and remediation suites are combined to try to prevent rogue devices from accessing the network Intrusion detection involves scanning the network and flagging any new things

Question 50

Sending an email in an attempt to get a user to click a link

Answer 50

Phishing

Question 51

Sending out emails to capture the most people and doesn't really target any particular person or group

Answer 51

Phishing

Question 52

More targeted form of phishing

Answer 52

Spear Phishing

Question 53

Focused on key executives within an organization | CEO, COO, CFO, CIO

Answer 53

Whaling

Question 54

Entering a secure portion of the organization's building by following an authorized person into the area without their knowledge or consent

Answer 54

Tailgating

Question 55

Similar to tailgating, but occurs with the employee's knowledge or consent

Answer 55

Piggybacking

Question 56

Coming up behind an employee and trying to use direct observation to obtain information

Answer 56

Shoulder Surfing

Question 57

A piece of malicious software disguised as a piece of harmless or desirable software

Answer 57

Trojan Horse

Question 58

Provides the attacker with remote control of a victim machine

Answer 58

Remote Access Trojan (RAT)

Question 59

A company implements VLANs to segregate its departments' network traffic. During a security audit, a potential vulnerability is identified where an attacker could gain unauthorized access to another VLAN. What technique could the attacker use?

Answer 59

VLAN Hopping

Question 60

Cozyco Investments has experienced a cyberattack aimed at intercepting web traffic to steal sensitive information, it involved a technique that corrupts the DNS cache of a server to redirect users to malicious websites. Which of the following is the most likely to have been used?

Answer 60

DNS poisoning

Question 61

While connecting to a public Wi-Fi network at a coffee shop, you unknowingly connect to a rogue access point set up by an attacker to intercept your data. This scenario is an example of:

Answer 61

Evil Twin

Question 62

Bankco, a financial institution, is concerned that the sensitive data that it transmits between branches over a wide area network (WAN) could be compromised. Considering this, what type of attack could intercept and manipulate this data in transit?

Answer 62

On-path attack