Practical Packet Analysis - Security Scenarios

Play an AI-generated podcast conversation about this lesson

How can we filter for port 443?

tcp.port == 443

How can we be more accurate when filtering for port 443?

(tcp.srcport == 443 && ip.src == 64.13.134.52) || (tcp.dstport == 443 && ip.dst == 64.13.134.52)

What if we wanted to check all the responses from the target?

ip.src == 64.13.134.52

How can we filter for open ports only?

tcp.flags.syn == 1 && tcp.flags.ack==1 Signup and view all the answers

What is a gratuitous ARP?

An ARP packet sent out with the MAC address without a request for it. Signup and view all the answers

How can an attacker use gratuitous ARPs?

To place a device between the router and target. Signup and view all the answers

What is the purpose of using gratuitous ARPs?

To update ARP caches of other devices. Signup and view all the answers

Why is it important to know the MAC address of the target?

To impersonate the default gateway. Signup and view all the answers

What type of attack involves using gratuitous ARPs?

ARP poisoning. Signup and view all the answers

What happens when an attacker successfully uses gratuitous ARPs?

They can intercept and manipulate network traffic. Signup and view all the answers

What is the first step of attacking a network?

Reconnaissance Signup and view all the answers

What type of scan sends a SYN request to hosts and port numbers to scan for potential services?

SYN Scan Signup and view all the answers

How does SYN Scan determine which ports are open on a target host?

By analyzing the reply to the SYN request Signup and view all the answers

What does a target host's response of SYN/ACK indicate during a SYN Scan?

Port is open Signup and view all the answers

In SYN Scan, what does a target host's response of RST indicate?

Port is closed Signup and view all the answers

How can Wireshark help in identifying which ports are open, closed, and filtered during a SYN Scan?

By analyzing the conversations and packets captured Signup and view all the answers

How does session hijacking work?

By taking the session cookie and using it to access the currently logged in session. Signup and view all the answers

What was the purpose of FireSheep addon?

To hijack sessions over an open WIFI network. Signup and view all the answers

How has the mass adoption of HTTPS impacted session hijacking?

It has made session hijacking increasingly difficult due to encryption. Signup and view all the answers

What method can be used in a man-in-the-middle attack to intercept traffic and pretend to be the destination?

Access to an approved root CA on the target's machine. Signup and view all the answers

What is typically encrypted when using HTTPS?

Everything transmitted over HTTPS is encrypted. Signup and view all the answers

What can be observed in Wireshark when the session is transmitted over plain HTTP?

Session cookies can be intercepted and viewed in plain text. Signup and view all the answers

What is the purpose of ransomware?

Encrypt or lock out a computer until a sum of money is paid Signup and view all the answers

What is the significance of the C2 sequence in the context of cyber attacks?

All suspicious communications occur to the same server and script with various alphanumeric sequences Signup and view all the answers

How is encryption typically performed in cyber attacks?

Using asymmetric encryption Signup and view all the answers

What is the role of browser extensions in changing session cookies?

To change the current session cookie to the intercepted one Signup and view all the answers

What type of file was involved in the attack scenario described?

Flash application Signup and view all the answers

What is the action taken by the user that leads to the suspicious POST requests?

Downloading a flash file Signup and view all the answers