1. On a switch, each switchport represents a ____________.
B. Broadcast domain
D. Collision domain
2. Wireless access points function as a ____________.
3. What mode must be configured to allow an NIC to capture all traffic on the wire?
A. Extended mode
C. Monitor mode
D. Promiscuous mode
4. Which of the following prevents ARP poisoning?
A. ARP Ghost
B. IP DHCP Snooping
C. IP Snoop
5. Jennifer is a system administrator who is researching a technology that will secure network traffic from potential sniffing by unauthorized machines. Jennifer is not concerned with the future impact on legitimate troubleshooting. What technology can Jennifer implement?
6. MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?
A. The MAC address doesn’t map to a manufacturer.
B. The MAC address is two digits too long.
C. A reverse ARP request maps to two hosts.
D. The host is receiving its own traffic.
7. Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic?
A. MAC flooding
B. MAC spoofing
C. IP spoofing
D. DOS attack
8. What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts?
A. ARP redirection
B. ARP poisoning
C. ARP flooding
D. ARP partitioning
9. Which Wireshark filter displays only traffic from 192.168.1.1?
A. ip.addr =! 192.168.1.1
B. ip.addr ne 192.168.1.1
C. ip.addr == 192.168.1.1
D. ip.addr – 192.168.1.1
10. What common tool can be used for launching an ARP poisoning attack? A. Cain & Abel
11. Which command launches a CLI version of Wireshark?
12. Jennifer is using tcpdump to capture traffic on her network. She would like to save the capture for later review. What command can Jennifer use?
A. tcpdump –r capture.log
B. tcpdump – l capture.log
C. tcpdump –t capture.log
D. tcpdump –w capture.log
13. What is the generic syntax of a Wireshark filter?
A. protocol.field operator value
B. field.protocol operator value
C. operator.protocol value field
D. protocol.operator value field
14. Tiffany is analyzing a capture from a client’s network. She is particularly interested in NetBIOS traffic. What port does Tiffany filter for?
1. D. Each switchport represents a collision domain, thereby limiting sniffing to only the clients residing on that port.
2. A. All wireless access points are essentially hubs in that they do not segregate traffic the way a traditional wired switch does.
3. D. An NIC must be configured to operate in promiscuous mode to capture all traffic on the network. More specifically, it allows the interface to capture both traffic that is intended for the host and traffic that is intended for other clients
. 4. B. IP DHCP Snooping can be used on Cisco devices to prevent ARP poisoning by validating IP-to-MAC mappings based on a saved database.
5. C. Jennifer can implement a form of encryption for the traffic that she wants to protect from sniffing. Secure Shell traffic would not be readable if captured by a sniffer; however, any legitimate network troubleshooting efforts would also prove more challenging because of packet encryption.
6. C. MAC spoofing results in duplicate MAC addresses on a network unless the compromised client has been bumped from its connection. Two IP addresses mapping to one MAC indicates a bogus client.
7. A. Bob can launch a MAC flooding attack against the switch, thereby converting the switch into a large hub. If successful, this will allow Bob to sniff all traffic passing through the switch.
8. B. ARP poisoning alters ARP table mappings to align all traffic to the attacker’s interface before traveling to the proper destination. This allows the attacker to capture all traffic on the network and provides a jumping-off point for future attacks.
9. C. The Wireshark operator == means equal to. In this scenario, using the == operator filters down to 192.168.1.1 as the specific host to be displayed.
10. A. Cain & Abel is a well-known suite of tools used for various pen-testing functions such as sniffing, password cracking, and ARP poisoning.
11. C. The command for the CLI version of Wireshark is tshark.
12. D. Tcpdump uses the option –w to write a capture to a log file for later review. The option –r is used to read the capture file, or the capture can be opened in a GUI-based sniffer such as Wireshark.
13. A. Wireshark filters use the basic syntax of putting the protocol first followed by the field of interest, the operator to be used, and finally the value to look for (tcp .port == 23).
14. B. Tiffany looks for NetBIOS traffic on port 139. She can use the filter string tcp .port eq 139.