Cybersecurity Incident and Network Basics

Questions and Answers

What must be obtained before reproducing or distributing contents from this document?

• No permission required
• Verbal agreement
• Public domain rights
• Express prior written permission (correct)

Which part of an HTTP URI specifies the protocol used?

• Scheme (correct)
• Query
• Path
• Host

What is the default port for HTTP requests?

• 8080
• 21
• 80 (correct)
• 443

In what scenario would a POST request be more suitable than a GET request?

To send a signup form (D)

What component follows the path in an HTTP URI and allows passing parameters?

Query (A)

Which of the following HTTP methods is NOT commonly implemented by servers?

SEND (D)

What do HTTP headers consist of?

Multiple key-value pairs (B)

Which part of a query string is used by Google to represent what is being searched?

q parameter (C)

What is displayed in the first pane of the Wireshark interface?

Captured frames sorted by time (C)

Which protocols can be encapsulated within a frame as shown in the second pane?

Ethernet, IPv4, TCP, and HTTP (C)

What type of data representation is provided in the third pane of Wireshark?

Combined textual and hexadecimal representation (B)

How is hexadecimal data represented in Wireshark?

By converting 4 bits to a single character from 0 to F (C)

What is the purpose of using the display filter in Wireshark?

To filter frames based on specific criteria (C)

What would the filter 'ip.dst == 192.168.1.3' achieve in Wireshark?

It only displays frames with a specific destination IP address (D)

Which logical operators can be combined with filters in Wireshark?

AND/OR (D)

Which of the following best describes the overall functionality of Wireshark?

To capture and analyze network traffic in real-time (D)

What is the format of an IP address?

Four groups of numbers from 0 to 255 (C)

What does the broadcast IP address typically end with?

.255 (A)

Which of the following ranges represents multicast IP addresses?

224.0.0.0 to 224.0.0.255 (A)

What should be true for an IP address to be classified as public?

It must be assigned uniquely to a certain device (A)

What is the significance of private IP addresses?

They can be duplicated in different networks. (D)

Which of the following is NOT a range of private IP addresses?

200.100.0.0 – 200.100.255.255 (A)

What must protocols in a network contain to reach their intended recipient?

An IP address and specific addressing information (B)

What happens to a device that subscribes to a multicast address?

It can accept messages sent to that multicast IP. (D)

What is the primary purpose of the 'User Agent' header?

To convey information about the requesting client. (B)

What does a User Agent string allow the server to do?

Respond differently based on the type of client accessing the server. (D)

Which component is NOT typically included in a User Agent string?

Client's geographical location (A)

What should one do with the document without express prior written permission from Red Alpha Cybersecurity?

Manufacture or sell any products described in it. (A), Store it in a publicly accessible archive. (C), Reproduce, disclose, or distribute its contents. (D)

What information does the HTTP response provide?

Whether the request was handled successfully. (C)

What is the effect of HTTP response codes?

They indicate the success or failure of an HTTP request. (C)

What type of document is described in the content?

Proprietary document. (A)

Why is the information extracted from a User Agent string valuable?

It helps analyze HTTP network traffic and understand client devices. (B)

What is the significance of a public IP address for an internet network?

It enables a device to be accessible via the Internet. (C)

Which of the following statements about MAC addresses is true?

The first three groups of a MAC address identify the manufacturer. (B)

What is the format of a Broadcast MAC address?

FF-FF-FF-FF-FF-FF (C)

Why are port numbers important in network communication?

They identify specific running applications that can receive packets. (C)

Which of the following correctly describes multicast MAC addresses?

They start with a specific prefix, such as 01-80-C2. (B)

What is an OUI in the context of MAC addresses?

The first three groups of a MAC address indicating the manufacturer. (C)

What happens if a device has a private IP address?

It cannot be reached via the Internet. (C)

In a valid MAC address format, which components can represent the values?

Digits 0-9 and letters A-F. (A)

What is the main purpose of DNS in internet browsing?

To translate domain names into IP addresses (D)

What type of query does a DNS client send to get an IP address?

DNS request (B)

What does a DNS reply include in its response?

The request and the corresponding IP address (C)

In the context of online gaming, how does DNS function?

It assists in locating the game server by resolving its domain name (A)

Which statement is true regarding DNS queries and HTTPS communications?

DNS queries reveal which sites are visited before an HTTPS request. (A)

How does the structure of a DNS reply differ from a DNS query?

It contains the original query along with the answer. (A)

What is indicated when a computer shuts down while browsing and a network sniffer is running?

The sniffer can capture traffic only when the computer is on. (C)

Why is DNS crucial for human usability in Internet browsing?

It translates complicated domain names into user-friendly formats. (A)

Flashcards

IP Address (Internet Protocol Address)

A unique identifier assigned to a device on a network.

MAC Address (Media Access Control Address)

A unique identifier assigned to a network interface card (NIC) on a device.

Broadcast IP Address

An IP address that allows communication with all devices on a local network.

Multicast IP Address

An IP address that allows communication with specific devices on a network.

Private IP Address

A range of IP addresses reserved for private networks, not accessible from the internet.

Public IP Address

An IP address that is globally unique and accessible from the internet.

Network Packet

The data exchanged between devices on a network.

Application Protocol

A set of rules that govern how data is transmitted and received over a network.

What is a MAC address?

A unique identifier assigned to a network interface card (NIC) on a device. It's permanent and burned into the hardware.

What is OUI?

The first three groups of a MAC address, identifying the manufacturer of the network device.

What is a broadcast MAC address?

A special MAC address (FF-FF-FF-FF-FF-FF) used to send a message to all devices on the network.

What are multicast MAC addresses?

A MAC address that starts with a special prefix, used to send messages to a group of devices.

What is a port number?

A number between 1 and 65,535 that identifies a specific running application listening for network packets.

What is an IP address?

A unique identifier assigned to a device on a network. It allows devices to communicate with each other.

What is a public IP address?

An IP address that is globally unique and accessible from the internet.

What is a private IP address?

A range of IP addresses reserved for private networks, not accessible from the internet.

Wireshark Capture Pane

A pane showing all the captured frames from a network capture, sorted by default by time.

Wireshark Protocol Pane

A pane showing the structure of each captured packet, broken down by its different protocol layers.

Wireshark Binary Dump Pane

A pane displaying the raw data of the selected frame in both hexadecimal and textual formats.

Wireshark Display Filtering

A method of filtering packets within Wireshark by specific criteria, allowing the user to focus on relevant data.

Wireshark Source IP Filter

A filter type in Wireshark that allows you to select packets based on their source IP address, such as 'ip.src == 10.0.0.1'.

Wireshark Destination IP Filter

A filter type in Wireshark that allows you to select packets based on their destination IP address, such as 'ip.dst == 192.168.1.3'.

Wireshark Protocol Filter

A filter type in Wireshark that allows you to select packets based on a specific protocol.

Wireshark Logical Operators

Logical operators used in Wireshark filters, such as 'and', 'or', and 'not', to combine multiple filter criteria.

What is a URI?

A uniform resource identifier (URI) identifies a resource. URIs are generic and may be used for various purposes, like pointing to files.

What are the parts of an HTTP URI?

The HTTP URI consists of 5 main parts: scheme, host, port, path, and query.

What is the scheme in an HTTP URI?

The protocol used, either http or https.

What is the host in an HTTP URI?

The host running the webserver.

What is the port in an HTTP URI?

Port of the webserver. If not specified, the default port for the protocol is used (80 for http, 443 for https).

What is the path in an HTTP URI?

Path to the resource on the server.

What is the query in an HTTP URI?

Appears at the end of the path after the question mark. This is optional and allows passing parameters to the webserver. Parameters are given key-value pairs and are separated using the and (&) sign.

What are the most common HTTP methods?

GET and POST are the most common methods that are implemented by all servers and are utilized by your web browser directly.

What is the User-Agent header?

A header sent by a client to a server, providing information about the client's browser, operating system, and other details.

How can the server use the User-Agent header?

The server can provide different content (or style) for different clients based on their User Agent header. This allows for things like mobile-friendly versions of websites.

What information does the User-Agent header contain?

The 'User Agent' header can contain information like:

• The browser (e.g., Chrome, Firefox)
• The operating system (e.g., Windows, macOS)
• The browser engine version (e.g., AppleWebKit 525.13)

What is an Application Protocol?

A set of rules that govern how data is transmitted and received over a network. HTTP is a common example.

What are HTTP response codes?

A series of codes indicating whether a request was completed successfully, the type and size of the response content, and whether the requested resource was found. For example, 200 (OK) means everything went well and 404 (Not Found) means the page doesn't exist.

Who sends the 'User-Agent' header?

In an HTTP request, the 'User-Agent' header is sent by the client (e.g., your web browser) to the server. This header provides information about the client's browser, operating system, and other details.

Why is the 'User-Agent' header useful?

The 'User-Agent' header allows the server to send content that is tailored to the specific client. This is useful for providing mobile-friendly versions of websites or for different browsers.

Are there other HTTP request headers besides 'User-Agent'?

The 'User-Agent' header is just one example of a header that can be used in an HTTP request. There are many other headers that provide additional information about the client or the request itself.

What is DNS (Domain Name System)?

A system that translates domain names (like google.com) into IP addresses (like 72.17.11.228) for computers to understand.

DNS Query

A request sent from your computer to a DNS server, asking for the IP address of a specific domain name.

DNS Reply

The response from a DNS server containing the IP address of the requested domain.

How does DNS work?

A client-server system where your computer (the client) asks a DNS server for an IP address.

How can you see websites visited even when HTTPS is used?

A tool like Wireshark can be used to analyze network traffic, including DNS queries, to see which websites someone has visited, even when HTTPS is used.

What is Content-Encoding?

Content-Encoding specifies the compression method used for a resource. It helps reduce the amount of data transferred across the network.

HTTPS

A protocol that's used to establish a secure connection between a client and a server, ensuring data privacy and integrity.

What is Wireshark?

A program that captures and analyzes network traffic. It helps understand what's happening on a network.

Study Notes

Cybersecurity Incident Basics

• Every cybersecurity incident starts with a motivated attacker.
• Attackers' motives can include money, power, fame, or revenge.
• Targets can be individuals, companies, organizations, or countries.
• Internet-connected networks are often used for attacks.
• Malware infection and control are intermediate steps for attackers.
• Attackers often extract data through the same network they used for the attack.
• Network forensics helps understand attack origins, data leaks, and attackers' motives.

Network Packets and Protocols

• Network packets carry various types of information similarly to letters.
• Envelopes in a network are called packets, and the information type is referred to as the application protocol.
• Addresses (IP and MAC) in networks ensure correct recipient delivery.
• IP addresses are four-part number groups (0-255) and are network-dependent.
• Broadcast IP addresses are meant for all network devices, while multicast addresses are targeted.
• Private IP addresses (e.g. 10.0.0.0-10.255.255.255, 192.168.0.0-192.168.255.255, 172.16.0.0-172.31.255.255) are not unique to a specific device.
• Public IP addresses must be unique.
• MAC addresses are unique to network hardware and cannot be changed.

MAC Addresses and Special Addresses

• MAC addresses are fixed hardware addresses in a specific format (XX-XX-XX-XX-XX-XX).
• Organization Unique Identifiers (OUIs) identify manufacturers.
• Broadcast MAC addresses (FF-FF-FF-FF-FF-FF) will be received by all devices on a network.
• Multicast MAC addresses start with a specific prefix and are used for specific communication.

Ports and Application Protocols

• Port numbers range from 1 to 65,535 and identify specific applications.
• They allow network packets to be routed to the correct application.
• Popular Protocols: HTTP, DNS, TCP
• HTTP servers are located on ports 80 or 443.
• DNS translates domain names to IP addresses.

Network Packet Analysis with Wireshark

• Wireshark is a network traffic monitoring and analysis tool.
• It logs network traffic, including malicious activity, and allows offline analysis of packet capture files (PCAP).
• It can analyze network traffic in real-time or through existing PCAP files.

Wireshark Analysis

• Wireshark displays captured frames categorized by protocols (Ethernet, IP, TCP, HTTP).
• It enables sorting, filtering, and focusing on specific data by protocol and address.
• Filters like ip.dst == [IP address] allow targeting specific network traffic based on destination IP

HTTP Protocols

• HTTP is a client/server protocol where clients send requests, and servers respond.
• HTTP requests include the type of request, desired resources, or commands.
• HTTP headers provide additional information about the request.
• Common header fields include "User-Agent," which reveals client information (e.g., browser, OS).
• HTTP responses indicate whether a request was successful (e.g., 200 OK), redirected, or resulted in a client or server error.
• HTTP protocol uses numbered codes to report success or failure.

DNS Lookups

• DNS translates domain names to IP addresses.
• DNS servers help resolve domain names to IP addresses during internet browsing.
• DNS requests are typically sent before HTTP requests.

Guided Example

• John's network investigation involves examining IP addresses, MAC addresses, operating systems, and browsers, examining a PCAP file, using Wireshark's statistical tools.
• Public and private IPs are identified and special IPs (e.g., broadcast and multicast) are separated out
• MAC addresses and their associated OUI (Organization Unique Identifier) groups are examined as real devices or broadcast addresses/multicast are separated.