CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

c

e

b,c

d

e

c

a,e

c

c,d

a

What are some of the benefits and drawbacks of ICMP scanning?

ICMP is one of the most commonly used network protocols on the Internet. It allows for diagnostic determination of connectivity between hosts and networks. ICMP scans can be used by attackers to identify active IP addresses on a target network. The biggest limitation to ICMP scanning is that if the target network is blocking ICMP at the edge router, these scans do not work. Also, if the target network is logging any ICMP activity that is typically used in network scans, an ICMP scan is easily seen and the activity noted.

What is the order of events of an attack on a target network?

Reconnaissance, target identification and enumeration, and access attack

What are trust exploitation attacks?

Trust exploitation attacks occur when an attacker is able to access one system from another without authenticating because of a trust relationship between the two systems. Trust exploitation attacks can also be executed by one system on a subnet against another because of the lack of filtering within the subnet traffic.

Name some DDoS attacks?

stacheldracht, trin00, Tribe Flood Network (TFN), TFN2K, mstream, and shaft

What are buffer overflows?

Buffer overflows are attacks that are made possible by improper bounds checking of input data in a program. By sending properly crafted data to the program, the attacker is able to redirect the program to execute code of the attacker's choice. This typically results in the creation of a shell within which the attacker gains access to the system.

What type of attacks are buffer overflows and format string attacks?

Application layer attacks

How does the TCP SYN flood attack work?

The TCP SYN flood attack is a DoS attack that is used to open a large number of half-open TCP connections to the target. TCP SYN packets are sent to the target system who then responds with SYN-ACK packets. The attacker does not send back the necessary ACK packets to the target but keeps sending new SYN packets until the TCP SYN queue on the host becomes filled. Once filled, the target can no longer accept any more TCP connections until some of the TCP SYN connections in the queue age out.

What is a blind-TCP scan?

In a blind-TCP scan, the attacker scans a network range using TCP instead of ICMP. This scan can search for common services such as web, e-mail, and FTP services. Although this may not provide a complete picture of all possible hosts that are reachable across the Internet, it does provide a sufficient list of publicly available servers. The scan is also virtually hidden from network administrators because it searches only a set of ports that are likely to be open.

If a TCP ACK packet is sent to a port where a service is not listening, what is the response defined in RFC 793?

No response. The TCP packet is silently discarded.

If a TCP ACK packet is sent to a port where a service is listening, what is the response defined in RFC 793?

A TCP RST packet is sent back.

What are the two types of systems that are used in a DDoS attack?

Handlers and agents. Handlers are systems that are initially exploited by an attacker, who then sets up the DDoS software on them. Handlers are then used to scan other hosts that may have a vulnerability that can be exploited to gain access. Once those hosts have been compromised, the agents can be installed and the hosts are ready for use in a DDoS attack. One handler host can control multiple agent hosts.