Practical Packet Analysis - Security Scenarios

Questions and Answers

How can we filter for port 443?

tcp.port == 443

How can we be more accurate when filtering for port 443?

(tcp.srcport == 443 && ip.src == 64.13.134.52) || (tcp.dstport == 443 && ip.dst == 64.13.134.52)

What if we wanted to check all the responses from the target?

ip.src == 64.13.134.52

How can we filter for open ports only?

tcp.flags.syn == 1 && tcp.flags.ack==1

What is a gratuitous ARP?

An ARP packet sent out with the MAC address without a request for it.

How can an attacker use gratuitous ARPs?

To place a device between the router and target.

What is the purpose of using gratuitous ARPs?

To update ARP caches of other devices.

Why is it important to know the MAC address of the target?

To impersonate the default gateway.

What type of attack involves using gratuitous ARPs?

ARP poisoning.

What happens when an attacker successfully uses gratuitous ARPs?

They can intercept and manipulate network traffic.

What is the first step of attacking a network?

Reconnaissance

What type of scan sends a SYN request to hosts and port numbers to scan for potential services?

SYN Scan

How does SYN Scan determine which ports are open on a target host?

By analyzing the reply to the SYN request

What does a target host's response of SYN/ACK indicate during a SYN Scan?

Port is open

In SYN Scan, what does a target host's response of RST indicate?

Port is closed

How can Wireshark help in identifying which ports are open, closed, and filtered during a SYN Scan?

By analyzing the conversations and packets captured

How does session hijacking work?

By taking the session cookie and using it to access the currently logged in session.

What was the purpose of FireSheep addon?

To hijack sessions over an open WIFI network.

How has the mass adoption of HTTPS impacted session hijacking?

It has made session hijacking increasingly difficult due to encryption.

What method can be used in a man-in-the-middle attack to intercept traffic and pretend to be the destination?

Access to an approved root CA on the target's machine.

What is typically encrypted when using HTTPS?

Everything transmitted over HTTPS is encrypted.

What can be observed in Wireshark when the session is transmitted over plain HTTP?

Session cookies can be intercepted and viewed in plain text.

What is the purpose of ransomware?

Encrypt or lock out a computer until a sum of money is paid

What is the significance of the C2 sequence in the context of cyber attacks?

All suspicious communications occur to the same server and script with various alphanumeric sequences

How is encryption typically performed in cyber attacks?

Using asymmetric encryption

What is the role of browser extensions in changing session cookies?

To change the current session cookie to the intercepted one

What type of file was involved in the attack scenario described?

Flash application

What is the action taken by the user that leads to the suspicious POST requests?

Downloading a flash file