CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [57]
Distributed DNS Flooder sends a large number of queries to create a DOS attack, disabling DNS. If DNS daemon software logs incorrect queries, the impact of this attack is amplified.
Describe Sniffing Countermeasures
The best security defense against a sniffer on the network is encryption. Although encryption won't prevent sniffing, it renders any data captured during the sniffing attack useless because hacker can't interpret the information. Encryption such as AES and RC4 or RC5 can be utilized in VPN technologies and is a common method to prevent sniffing on a network.
Countermeasures
netINTERCEPTOR is a spam and virus firewall. It has advanced filtering options and can learn and adapt as it identifies new spam. It also intercepts and quarantines the latest e-mail viruses and Trojans, preventing a Trojan from being installed and possibly installing a sniffer.
Sniffdet is a set of tests for remote sniffer detection in TCP/IP network environments. Sniffdet implements various tests for the detection of machines running in promiscuous mode or with a sniffer.
WinTCPKiII is a TCP connection termination tool for Windows. The tool requires the ability to use a sniffer to sniff incoming and outgoing traffic of the target. In a switched network, WinTCPKiII can use an ARP cache-poisoning tool that performs ARP spoofing.
Exam Essentials
Understand how a sniffer works. A sniffer operates in promiscuous mode, meaning it captures all traffic regardless of the destination MAC specified in the frame.
Understand the differences between sniffing in a shared network connected via hubs and a switched network. All traffic is broadcast by a hub, but it's segmented by a switch. To sniff on a switched network, either flooding or ARP spoofing tools must be used.
Know the difference between packets and frames. Packets are created at layer 3 of the OSI model, and frames are created at layer 2.
Understand how the Address Resolution Protocol works. ARP is used to find a MAC address from a known IP address by broadcasting the request on the network.
Know the difference between active and passive sniffing. Active sniffing is used to trick the switch into acting like a hub so that it forwards traffic to the attacker. Passive sniffing captures packets that are already being broadcast on a shared network.
Review Questions
1. What is sniffing?
A. Sending corrupted data on the network to trick a system
B. Capturing and deciphering traffic on a network
C. Corrupting the ARP cache on a target system
D. Performing a password-cracking attack
2. What is a countermeasure to passive sniffing?
A. Implementing a switched network
B. Implementing a shared network
C. ARP spoofing
D. Port-based security
3. What type of device connects systems on a shared network?
A. Routers
B. Gateways
C. Hubs
D. Switches
4. Which of the following is a countermeasure to ARP spoofing?
A. Port-based security
B. WinTCPkill
C. Ethereal
D. MAC-based security
5. What is dsniff?
A. A MAC spoofing tool
B. An IP address spoofing tool
C. A collection of hacking tools
D. A sniffer
6. At what layer of the OSI model is data formatted into packets?
A. Layer 1
B. Layer 2
C. Layer 3
D. Layer 4
7. What is snort?
A. An IDS and packet sniffer
B. Only an IDS
C. Only a packet sniffer
D. Only a frame sniffer
8. What mode must a network card operate in to perform sniffing?
A. Shared
B. Unencrypted
C. Open
D. Promiscuous
9. The best defense against any type of sniffing is
A. Encryption
B. A switched network
C. Port-based security
D. A good security training program
10. For what type of traffic can winsniffer capture passwords? (Choose all that apply.)
A. POP3
B. SMTP
C. HTTP
D. HTTPS
Answers to Review Questions
1. B. Sniffing is the process of capturing and analyzing data on a network.
2. A. By implementing