Sniffing Module 07 Quiz

Questions and Answers

Which protocol is known to transmit data in clear text?

SSH

HTTPS

FTP (correct)

SSL

At which layer of the OSI model do sniffers operate?

Application layer

Network layer

Data Link layer (correct)

Transport layer

What defines active wiretapping?

Captures data without affecting it

Only monitors and records traffic

Intercepts data without altering it

Injects data into the communication (correct)

What is the primary function of a hardware protocol analyzer?

To capture signals and monitor usage

What does lawful interception involve?

Legally intercepting communications

Which of the following is a characteristic of passive wiretapping?

Records and monitors the traffic

Which of these protocols is NOT considered compromised regarding sniffing?

SSH

What is the main purpose of wiretapping?

To secretly monitor conversations

What technique does DNS poisoning utilize to mislead a DNS server?

Replacing legitimate IP addresses with false ones

Which of the following is a recommended way to defend against network sniffing?

Utilize switches rather than hubs

Which method can be used to capture and analyze network traffic?

Wireshark

What is one way an attacker can utilize MAC addresses to perform attacks?

By pretending to be associated users linked to a switch port

Which protocol should be used instead of FTP for secure file transfers?

SFTP

Which of the following attacks involves manipulating the cache of a DNS server?

DNS Cache Poisoning

What type of network traffic does Wireshark capture?

Various types including Ethernet and Bluetooth

How can one detect if any network interfaces are running in promiscuous mode?

By running diagnostic tools to check NIC settings

What is the purpose of an ARP request?

To obtain the MAC address corresponding to an IP address.

Which of the following describes ARP poisoning?

Flooding a target computer's ARP cache with forged entries.

What threat involves diverting communications between two machines through an attacker's PC?

Man-in-the-Middle Attack

How can a MAC duplicating attack be executed?

By sniffing the network for active MAC addresses.

What is the primary function of a sniffer in a network?

To monitor and capture data packets

Which type of sniffing involves monitoring packets without injecting any additional traffic?

Passive Sniffing

What happens after ARP requests and replies flood a switch?

The switch forwards all traffic to the attacker.

What happens during active sniffing in a switch-based network?

Additional data packets are injected into the network

Which of the following is NOT a threat associated with ARP poisoning?

Increased bandwidth usage

What technique can an attacker use in active sniffing to redirect traffic from the victim's machine?

ARP Spoofing

What is a common method used by attackers in ARP spoofing?

Constructing forged ARP requests and replies.

What does a switch do in 'forwarding mode'?

It forwards packets based on MAC addresses.

What type of traffic can potentially be captured by sniffers?

All types of network traffic

In a hub-based network, what advantage does passive sniffing provide?

Significant stealth advantages

What is a possible effect of MAC flooding in a network?

Flooding the CAM table

What is the first step an attacker takes when using sniffers to hack a network?

Connect to a switch port

What is the primary function of the PRISM tool?

To collect and process foreign intelligence data.

Which of the following describes MAC flooding?

Flooding the CAM table with fake MAC address and IP pairs.

What is one of the key defenses against MAC flooding attacks?

Implementing port security to allow only one MAC address.

What does Address Resolution Protocol (ARP) primarily do?

Resolves IP addresses to MAC addresses.

What data flow speed is reported for Europe in the context of wiretap rates?

5 Gbps

Which component allows law enforcement to access intercepted data?

Storage System.

Which of the following is NOT part of the recommended port security configuration?

switchport port-security disable all ports

Which area has the highest data flow in hours related to wiretapping?

Latin America and Caribbean.

DNS poisoning tricks a DNS server into believing it has received authentic information.

True

Wireshark captures packets only on the networks supported by Ethernet.

False

Using a switch instead of a hub can help protect data by delivering it only to the intended recipient.

True

A common method for attackers to carry out a DNS attack is by creating fake DNS entries with the same name as legitimate servers.

True

Retrieving the MAC address directly from the OS is recommended to prevent MAC address spoofing.

False

Sniffing is a method used to capture and monitor data packets in a network.

True

Active sniffing requires the use of switches to be effective, while passive sniffing does not.

True

In passive sniffing, the attacker can send data packets into the network traffic.

False

MAC flooding is an example of an active sniffing technique.

True

A sniffer can be used to turn a standard NIC into promiscuous mode to listen to all transmitted data.

True

Sniffers operate at the Network layer of the OSI model.

False

Active wiretapping involves only monitoring and recording traffic.

False

A hardware protocol analyzer can capture and analyze individual data bytes passing through a cable.

True

Lawful interception requires consent from one of the involved parties.

True

All data sent via FTP is encrypted by default.

False

Passive wiretapping is considered a criminal offense in all circumstances.

False

IMAP is a protocol known for sending passwords in clear text.

True

A compromised protocol guarantees secure data transmission.

False

Sniffers can operate independently of the upper layers and remain undetected.

True

Telephone conversations can be monitored through wiretapping.

True

What is the primary consequence of DNS poisoning?

Manipulation of a DNS server's IP address records

How does Wireshark primarily capture network traffic?

Using Winpcap to capture packets on supported networks

Which method is effective in preventing MAC address spoofing?

Getting the MAC directly from the NIC instead of the OS

What is the purpose of using a switch instead of a hub in network configuration?

To reduce latency by isolating traffic to specific ports

Which technique can be employed to recognize if a machine is in promiscuous mode?

Utilizing specific tools to check NIC configurations

What is the primary difference between passive and active sniffing in a network?

Active sniffing requires manipulation of the network traffic.

Which technique allows an attacker to redirect traffic using ARP spoofing?

Flooding a switch's CAM table with ARP packets.

What makes passive sniffing more advantageous than active sniffing?

It is less likely to be detected.

Which kind of network equipment primarily exposes vulnerabilities to sniffing attacks?

Hubs that broadcast traffic to all ports.

What does MAC flooding aim to achieve in terms of network security?

To force a switch to behave like a hub.

Which of the following statements is true regarding active wiretapping?

It allows for intercepting and altering data traffic.

What is a primary function of hardware protocol analyzers?

To capture and analyze traffic without modification.

Which protocol is typically associated with transmitting data in clear text?

SMTP

What does passive wiretapping primarily allow an attacker to do?

Monitor and record traffic.

Which of the following could be considered a limitation of sniffers at the Data Link layer?

They are unable to capture all traffic types.

What distinguishes lawful interception from other types of data interception?

It requires user consent.

What is a common tool for monitoring network usage and identifying malicious traffic?

Hardware protocol analyzer

Which of the following protocols is vulnerable to sniffing due to transmitting data in clear text?

FTP

What technique is primarily used to monitor and capture telephone conversations by unauthorized parties?

Wiretapping

Which of the following statements is true regarding sniffing tools?

They can provide real-time monitoring of network traffic.

DNS poisoning results in the replacement of a true IP address with a false one at the DNS level.

True

Wireshark can capture packets from all network types without any limitations.

False

Using HTTPS instead of HTTP is a recommended approach to protect sensitive data during transmission.

True

Creating fake DNS entries is not a technique used in DNS attacks.

False

Retrieving the MAC address from the operating system helps in preventing MAC address spoofing.

False

Active sniffing involves monitoring packets without injecting additional data into the network traffic.

False

Passive sniffing can capture all traffic in a hub-based network because the hub sends traffic to all ports.

True

A common active sniffing technique is DHCP attacks, which can lead to network disruption and data theft.

True

MAC flooding can cause a switch to behave like a hub, exposing data to all connected devices.

True

Sniffing tools can only capture unencrypted data, making them ineffective against secure communications.

False

Sniffers can monitor data without the upper layers of the OSI model being aware of it.

True

Lawful interception can be performed without a warrant in most countries.

False

Active wiretapping involves monitoring and altering traffic.

True

HTTP is a protocol that transmits data securely by encrypting it.

False

A hardware protocol analyzer can only be used to capture signals without altering the traffic.

True

Passive wiretapping allows an attacker to inject false information into the communication.

False

Telnet is a protocol that securely transmits sensitive data.

False

Wireless networks can also be susceptible to wiretapping.

True

A hardware protocol analyzer can identify malicious network traffic generated by hacking software.

True

POP3 and IMAP are examples of protocols that can be compromised due to clear text transmission.

True

Which of the following accurately describes a feature of Wireshark?

It relies on Winpcap for capturing network packets

Which method is NOT recommended to defend against network sniffing?

Employing a hub for easier traffic monitoring

What is a major characteristic of DNS cache poisoning?

It can occur through insecure DNS configurations

How can sniffing be detected on a network?

By checking if any machines are running in promiscuous mode

What is the primary difference between passive sniffing and active sniffing in a network environment?

Passive sniffing involves monitoring without injecting data, while active sniffing involves injecting data into the network.

In the context of network sniffing, which technique specifically targets the Content Addressable Memory (CAM) of a switch?

MAC flooding

Which of the following explains how an attacker can successfully extract sensitive data using sniffers?

By redirecting traffic meant for the victim through their own machine.

What characteristic makes passive sniffing less detectable compared to active sniffing?

It only observes existing traffic without injecting any packets.

Which of the following types of sensitive information could potentially be captured through sniffing that relates to user authentication processes?

Telnet passwords

What best describes the primary capability of a hardware protocol analyzer?

To capture and analyze data packets according to predetermined rules.

Which type of wiretapping involves modifying the data being intercepted?

Active Wiretapping

Which layer of the OSI model do sniffers primarily interact with when capturing data?

Data Link Layer

What is a commonly used method by attackers during passive wiretapping?

Monitoring and recording the data without interference.

Which of the following is NOT a feature of lawful interception?

Monitoring without consent.

Which component is essential for any wiretapping process to be considered lawful?

Legal warrant or consent.

Which of the following protocols is susceptible to sniffing and transmits data in clear text?

POP

What is the consequence of employing a hardware protocol analyzer in a network?

Potential privacy concerns if used without permission.

What characterizes the process of sniffing in the context of network security?

Capturing data packets without altering their content.

Which hardware protocol analyzer is identified for its capability to monitor network usage?

FLUKE Networks OptiView® XG

Passive sniffing can capture all traffic on a switch-based network without injecting any packets.

False

DNS poisoning is a technique that tricks a DNS server into believing that it has received fraudulent information.

True

In active sniffing, an attacker collects traffic by flooding the switch's CAM table with address resolution packets.

True

Wireshark captures packets from Bluetooth and ADSL networks but not from Ethernet networks.

False

The primary advantage of using a hub in a network is to provide higher data security compared to switches.

False

Using a hub instead of a switch is recommended for secure communication since hubs deliver data only to the intended recipient.

False

The DNS cache poisoning technique allows an attacker to replace IP address entries for a target site with an IP address controlled by the attacker.

True

DNS poisoning is a passive technique that does not interfere with network traffic flow.

False

Sniffing allows attackers to capture sensitive information like Telnet passwords and email traffic.

True

Retrieving the MAC address directly from the operating system instead of the NIC prevents MAC address spoofing.

False

Wired equipment cannot be used to monitor network traffic due to the high speed of the data flow.

False

Passive wiretapping can change the content of the communications being monitored.

False

The Data Link layer of the OSI model operates independently and can be accessed by sniffers without affecting higher layers.

True

Lawful interception is a method used by law enforcement to avoid any legal consequences while intercepting data communications.

True

Active wiretapping involves simply monitoring the data without interacting with it.

False

Keysight N2X N5540A is an example of a hardware protocol analyzer used for monitoring network usage.

True

SMTP is known to transmit data securely without risks of sniffing.

False

A hardware protocol analyzer modifies data packets for better analysis of network traffic.

False

Telnet and FTP are protocols known to transmit data including usernames and passwords in clear text.

True

Wiring devices can be utilized for both active and passive wiretapping methods.

True

Study Notes

Sniffing Module 07

• Sniffing is a process of monitoring and capturing data packets on a network.
• Sniffing tools are used for wiretapping on computer networks.
• Switch ports can be open, which allows anyone in the same physical location to plug into the network using an Ethernet cable.
• Often, sensitive information is obtained through sniffing, including syslog traffic, telnet passwords, router configurations, and FTP passwords.
• Sensitive information acquired through sniffing includes web traffic, chat sessions, email, and DNS traffic.

How a Sniffer Works

• A sniffer turns the Network Interface Card (NIC) of a system to promiscuous mode.
• This mode allows the sniffer to listen to all the transmitted data on its segment.
• An attacker might make a switch behave as a hub, allowing a sniffer to capture traffic meant for other devices.
• A sniffer monitors network traffic by decoding the information encapsulated in data packets.

Passive Sniffing

• Passive sniffing involves monitoring traffic without actively injecting data into the network.
• It’s done through a hub, where all traffic is sent to all ports.
• Hubs are now outdated; most modern networks use switches.
• All hosts in a hub-based network can see all traffic, making sniffing easier.
• Passive sniffing offers significant stealth compared to active sniffing.

Active Sniffing

• Active sniffing involves injecting packets into a switch-based network to obtain information.
• Attackers use techniques like ARP flooding and DNS poisoning.
• ARP flooding, DNS poisoning, switch port stealing, and spoofing attacks are examples that are used to acquire data in an active sniffing manner.
• A target computer's ARP cache is flooded with forged entries in an Active Sniffing attack.

How an Attacker Hacks via Sniffers

• Attackers often use laptop devices connected to a switch port.
• Discovery tools help identify network topology.
• Targeting specific machines leads to targeted attacks.
• ARP spoofing redirects traffic to the attacker.
• Passwords and sensitive data are retrieved from redirected traffic.

Protocols Vulnerable to Sniffing

• Protocols that send data in clear text are vulnerable.
• This includes HTTP, Telnet, Rlogin, POP, IMAP, SMTP, NNTP, and FTP.
• Keystrokes, usernames, and passwords are also susceptible.

Sniffing in the Data Link Layer (OSI Model)

• Sniffers operate at the Data Link layer of the OSI model.
• The Data Link layer operates independently of higher layers.
• Network traffic is easily sniffed since the upper OSI layers are unaware of the action.

Hardware Protocol Analyzers

• Hardware protocol analyzers are devices that capture network traffic without altering it.
• They can monitor network usage and identify malicious activity.
• Individual data bytes of each packet are visible using the analyzer.
• Various examples of hardware protocol analyzers are listed, including Keysight N2X N5540A, Keysight E2960B, RADCOM PrismLite Protocol Analyzer, RADCOM Prism Ultra-Lite Protocol Analyzer, FLUKE Networks, and OptiView XG.

Wiretapping

• Wiretapping involves monitoring communications (phone, internet) by a third party.
• It can use hardware, software, or a combination of both.
• It allows attackers to monitor, intercept, access, and record information in a communication system.
• Active wiretapping involves altering the communications.
• Passive wiretapping involves passively monitoring.

Lawful Interception

• Lawful interception is legally intercepting data communication for surveillance.
• This requires court orders and specific procedures.
• Agencies like law enforcement and intelligence agencies can access this data when required.

Wiretapping Case Study: PRISM

• PRISM is a data collection tool designed to collect and process foreign intelligence.
• Significant amounts of foreign internet traffic are routed through US servers.
• Wiretapping helps to intercept and collect the data of foreign users.

MAC Flooding

• MAC flooding involves overwhelming the CAM table of a switch with fake MAC addresses and IP.
• This causes the switch to act as a hub by broadcasting traffic to all devices on the network.
• The attacker can then sniffer traffic.
• Flood of MAC addresses causes the switch to enter forwarding mode

ARP Spoofing Attacks

• Forged ARP packets send traffic to the attacker.
• This floods the switch by sending ARP-request and ARP-reply.
• ARP table is poisoned with incorrect entries, which deflect the traffic to the attacker.

Threats of ARP Poisoning

• Diverting communications between two machines through fake ARP messages.
• Packet sniffing, session hijacking, VoIP call tapping, data manipulation, Man-in-the-Middle attacks, and Denial-of-Service (DoS) attacks are types of harms from ARP Poisoning.

MAC Spoofing/Duplication

• MAC spoofing involves actively changing or mimicking a MAC address to gain access to the network.
• Network traffic intended for the legitimate user is intercepted and routed to the spoofer.
• By listening to traffic on the network, malicious users can use legitimate user MAC addresses to receive traffic.

DNS Poisoning Techniques

• DNS poisoning tricks a DNS server into accepting fake IP address information for a domain, leading to malicious links or other exploits.
• An attacker can alter the IP address (at the DNS-server level) displayed by the server to the victims' computers; this often occurs through replacing the true IP with an illegitimate IP.

Sniffing Tool: Wireshark

• Wireshark is a commonly used network traffic capturing and analyzing tool.
• It supports various network types, including Ethernet, and Token-Ring.
• Wireshark uses WinPcap and allows for editing of captures using command-line.
• Filters allow users to quickly identify specific packets.

How to Defend Against Sniffing

• Use HTTPS instead of HTTP to secure sensitive information.
• Use switches where appropriate, rather than hubs, to prevent all packets from being sent to all devices.
• Use methods like SFTP instead of FTP to securely transfer files.
• Encrypt network communications with strong protocols (e.g., WPA2).
• Retrieve MAC addresses from the network interface card (NIC) for security.
• Use tools to monitor network interfaces for malicious promiscuous mode use.

How to Detect Sniffing

• Check for devices operating in promiscuous mode.
• Use Intrusion Detection Systems (IDS) to detect changes in MAC addresses.
• Use network tools to monitor and identify unusual packets, as well.

Description

Test your knowledge on network sniffing in this quiz! Explore the processes involved in monitoring data packets, the functionalities of sniffing tools, and how attackers exploit network vulnerabilities. Understand the implications of capturing sensitive information on computer networks.