Network Services: NetBIOS, DNS, SNMP and SMTP

Questions and Answers

Which NetBIOS service facilitates connection-oriented communication?

• NetBIOS-NS
• NetBIOS-DGM
• NetBIOS-SSN (correct)
• LLMNR

Which port is used by the NetBIOS Session Service?

• TCP port 139
• UDP port 137
• TCP port 445 (correct)
• TCP port 135

What two features in BIND 9.5.0 and higher help mitigate DNS cache poisoning attacks?

• Provision of cryptographically secure DNS transaction identifiers and exclusion of any trust relationships between DNS servers.
• Randomization of ports and exclusion of any trust relationships between DNS servers.
• Randomization of ports and provision of cryptographically secure DNS transaction identifiers. (correct)
• Secure DNS data authentication and prevention of any recursive DNS queries.

What UDP port number is the default for the SNMP protocol?

161 (D)

What is a primary characteristic of a DNS poisoning attack?

The DNS resolver cache is manipulated. (D)

Which Kali Linux tool is designed to gather information on devices configured for SNMP?

snmp-check (B)

Match the SMTP command with its description: MAIL

Used to denote the email address of the sender. (A)

Which two practices are most effective in mitigating FTP server abuse and attacks?

Limit anonymous logins to a select group of people and require re-authentication of inactive sessions. (B)

What is a characteristic of the pass-the-hash attack?

Capture of a password hash (as opposed to the password characters) and using the same hashed value for authentication and lateral access to other networked systems. (B)

What best describes a Kerberoasting attack?

It is a post-exploitation attempt that is used to extract service account credential hashes from Active Directory for offline cracking. (D)

Match the attack type with its respective description: Reflected DOS.

This attack uses spoofed packets that appear to be from the victim. Then the sources become unwitting participants in the attack by sending the response traffic back to the intended victim. (C)

Match the attack type with the correct description: DHCP Starvation attack

An attacker floods a server with bogus DISCOVER packets until the server exhausts the supply of IP addresses (D)

Which tool is commonly used to perform a Disassociation attack?

Airmon-ng (B)

Which statement describes a characteristic of a Bluesnarfing attack?

An attack that can be performed using Bluetooth with vulnerable devices in range. This attack actually steals information from the device of the victim. (A)

Which Wi-Fi security protocol is most vulnerable to brute-force attacks during a Wi-Fi network deployment?

WPS (B)

Flashcards

NetBIOS-SSN

A service used for connection-oriented communication in a network.

NetBIOS Name Service

Provides name resolution on a NetBIOS network.

Randomization of ports

A security feature in DNS servers that randomizes the source port used for DNS queries.

Cryptographically secure DNS transaction identifiers

Encrypts DNS transaction identifiers to prevent tampering and spoofing.

snmp-check

A tool or script used to gather information on devices configured for SNMP.

Limit anonymous logins

Helps prevent FTP server abuse and attacks.

Use encryption at rest

Helps prevent FTP server abuse and attacks.

Pass-the-hash attack

Capturing a password hash and using it for authentication.

Kerberoasting

A post-exploitation attempt to extract service credential hashes for offline cracking.

DNS Amplification

An attack that exploits vulnerabilities to turn small queries into large payloads, overwhelming the victim's servers.

Reflected DOS

An attack employing spoofed packets to trick sources into sending response traffic to the victim.

Airmon-ng

Using Airmon-ng to perform a Disassociation attach.

Bluesnarfing

An attack that involves stealing sensitive information from Bluetooth devices in range.

MFP (Protected Management Frames)

Feature in 802.11w that helps defend against deauthentication attacks.

DNS resolver cache

A temporary database containing records of website visits and internet domains.

Study Notes

NetBIOS Services

• NetBIOS-SSN is used for connection-oriented communication.
• UDP port 138 is associated with NetBIOS Datagram Service.
• UDP port 137 is associated with NetBIOS Name Service.
• TCP port 445 is associated with SMB protocol.
• TCP port 139 is associated with NetBIOS Session Service.
• TCP port 135 is associated with Microsoft Remote Procedure Call (MS-RPC).

DNS Security and SNMP

• Randomization of ports and cryptographically secure DNS transaction identifiers mitigate DNS cache poisoning attacks in BIND 9.5.0 and higher.
• UDP port 161 is used by the SNMP protocol.
• A characteristic of a DNS poisoning attack is that the DNS resolver cache is manipulated.
• snmp-check is a Kali Linux tool/script used to gather information on devices configured for SNMP.

SMTP Commands

• MAIL is used to denote the email address of the sender.
• RSET is used to cancel an email transaction.
• EHLO is used to initiate a conversation with an Extended Simple Mail Transport Protocol server.
• DATA is used to initiate the transfer of the contents of an email message.
• STARTTLS is used to start a Transport Layer Security connection to an email server.
• HELO is used to initiate an SMTP conversation with an email server.

FTP Server Security

• Limiting anonymous logins and using encryption at rest are best practices to mitigate FTP server abuse and attacks.

Pass-the-Hash and Kerberoasting Attacks

• A characteristic of the pass-the-hash attack is the capture of a password hash and using the same hashed value for authentication and lateral access to other networked systems.
• A Kerberoasting attack is a post-exploitation attempt that is used to extract service account credential hashes from Active Directory for offline cracking.

DOS Attack Types

• Reflected DoS uses spoofed packets that appear to be from the victim, with the response traffic sent back to the intended victim.
• Direct DoS occurs when the source of the attack generates the packets directly to the victim.
• DDoS uses botnets manipulated from a command and control system.
• DNS Amplification is an attack where vulnerabilities in target servers are exploited to turn small queries into much larger payloads.

Attack Types and Mitigation

• Route Manipulation attacks involve a BGP hijacking attack by configuring or compromising an edge router.
• Downgrade attacks force a system to favor a weak encryption protocol or hashing algorithm.
• DHCP Starvation attacks flood a server with bogus DISCOVER packets.
• VLAN Hopping attacks bypass layer 2 restrictions built to divide hosts.
• MAC address spoofing attacks involve spoofing the physical address of the NIC device.
• Airmon-ng can be used to perform a Disassociation attack.
• Bluesnarfing involves stealing information from a victim's device using Bluetooth.
• WPA2-TKIP is the Wi-Fi protocol most vulnerable to a brute-force attack during a Wi-Fi network deployment.

Wireless Security and DNS Cache

• The MFP (Management Frame Protection) feature in the 802.11w standard helps defend against deauthentication attacks.
• A DNS resolver cache on a Windows system is a temporary database that contains records of recent and attempted website visits.

Email Protocols and Ports

• 465 is the port registered by IANA for SMTP over SSL (SMTPS).
• 587 is the Secure SMTP (SSMTP) port for encrypted communications using STARTTLS.
• 143 is the default port used by the IMAP protocol in non-encrypted communications.
• 995 is the default port used by the POP3 protocol in encrypted communications.
• 993 is the default port used by the IMAP protocol in encrypted (SSL/TLS) communications.
• Port 25 is the default TCP port used in SMTP for non-encrypted communications.

Kerberos Attacks

• A characteristic of a Kerberos silver ticket attack is the use of forged service tickets for a given service on a particular server.
• Four items needed to create a silver ticket for a Kerberos silver ticket attack include hash value, system account, SID, and target service.
• An IP spoofing attack is a DDoS attack.

Security Practices and Attack Types

• DHCP snooping is a common mitigation practice for ARP cache poisoning attacks.
• An attacker launching a reflected DDoS attack where response traffic is much larger than the attacker's initial packets is performing an amplification attack.