Chapter 6 Quiz: Networking Fundamentals for Hackers

Multiple Choice Questions

1. ARP spoofing is primarily an attack against which OSI layer? a) Layer 1 (Physical) b) Layer 2 (Data Link) c) Layer 3 (Network) d) Layer 4 (Transport)

2. In Nmap's SYN scan (-sS), what response indicates that a port is open? a) RST-ACK b) SYN-ACK c) No response d) ICMP Port Unreachable

3. What is the maximum number of usable host addresses in a /28 subnet? a) 16 b) 14 c) 30 d) 12

4. DNS cache poisoning is effective primarily because: a) DNS uses TCP for all queries, which can be easily hijacked b) DNS queries use UDP with only a 16-bit transaction ID for protection, making spoofed responses feasible c) DNS servers do not cache responses d) DNS uses strong encryption by default

5. Which Nmap scan type sets the FIN, PSH, and URG flags simultaneously? a) SYN scan (-sS) b) NULL scan (-sN) c) FIN scan (-sF) d) Xmas scan (-sX)

6. What is the primary purpose of the TCP three-way handshake? a) To encrypt the connection b) To synchronize sequence numbers and establish a reliable connection between two hosts c) To authenticate both parties d) To negotiate the data transfer rate

7. Which of the following is a private (RFC 1918) IP address range? a) 192.0.0.0/8 b) 172.16.0.0/12 c) 10.0.0.0/16 d) 169.254.0.0/16

8. An attacker sends thousands of SYN packets to a target server without completing the three-way handshake. This attack is known as: a) ARP spoofing b) DNS amplification c) SYN flood d) MAC flooding

9. Which HTTP security header prevents clickjacking attacks? a) Content-Security-Policy b) X-Frame-Options c) Strict-Transport-Security d) X-Content-Type-Options

10. In Wireshark, which display filter would show only TCP packets with the SYN flag set and the ACK flag not set? a) tcp.flags == 0x02 b) tcp.flags.syn == 1 && tcp.flags.ack == 0 c) tcp.syn == true d) filter.tcp.syn_only

11. UDP amplification attacks are possible because: a) UDP requires a three-way handshake that can be exploited b) UDP is connectionless and the source IP can be spoofed, causing amplified responses to be sent to the victim c) UDP encrypts all traffic, hiding the attack d) UDP only works on local networks

12. What protocol weakness did the 2008 Pakistan/YouTube BGP hijacking exploit? a) BGP's use of weak encryption b) BGP's trust-based design with no built-in route authentication c) BGP's reliance on UDP d) BGP's centralized architecture

13. DNSSEC was designed to mitigate which specific DNS attack? a) DNS tunneling b) DNS zone transfer c) DNS cache poisoning d) DNS amplification

14. Which Scapy function sends a packet and waits for a single response? a) send() b) sendp() c) sr() d) sr1()

15. SMB's EternalBlue vulnerability (CVE-2017-0144) affected which version of the SMB protocol? a) SMBv1 b) SMBv2 c) SMBv3 d) All SMB versions

Short Answer Questions

16. Explain why Layer 2 attacks (such as ARP spoofing) are particularly dangerous. How can they bypass security controls that operate at higher layers? Describe one defensive measure that operates at Layer 2 to prevent ARP spoofing.

17. You are conducting a penetration test of ShopStack's internal network. During your initial scan, you discover that several network switches respond to SNMP queries with the default "public" community string. Describe the information you could gather through SNMP enumeration and explain why this finding is significant from a security perspective.

18. Compare and contrast TCP and UDP from a security testing perspective. For each protocol, identify one specific attack technique that exploits that protocol's characteristics, and explain why that attack would not work with the other protocol.

19. Describe DNS tunneling: what it is, how it works, why it is effective as a data exfiltration technique, and two indicators that network defenders could use to detect it.

20. You capture the following Wireshark output during a penetration test:

10.0.1.50 -> 10.0.1.1   ARP   Who has 10.0.1.1? Tell 10.0.1.50
10.0.1.1  -> 10.0.1.50  ARP   10.0.1.1 is at aa:bb:cc:dd:ee:01
10.0.1.99 -> 10.0.1.50  ARP   10.0.1.1 is at aa:bb:cc:dd:ee:99
10.0.1.99 -> 10.0.1.50  ARP   10.0.1.1 is at aa:bb:cc:dd:ee:99
10.0.1.99 -> 10.0.1.1   ARP   10.0.1.50 is at aa:bb:cc:dd:ee:99

What is happening in this capture? Identify the attacker, the victim(s), and the attack being performed. What would be the effect of this attack on 10.0.1.50's network traffic?

Answer Key

1. b) Layer 2 (Data Link) — ARP operates at Layer 2, mapping IP addresses to MAC addresses.

2. b) SYN-ACK — A SYN-ACK response indicates that the port is open and the server is willing to complete the three-way handshake.

3. b) 14 — A /28 subnet has 2^4 = 16 total addresses, minus 2 (network address and broadcast address) = 14 usable hosts.

4. b) DNS queries use UDP with only a 16-bit transaction ID for protection, making spoofed responses feasible — The lack of authentication and the small transaction ID space make it possible to forge DNS responses.

5. d) Xmas scan (-sX) — The Xmas scan sets FIN, PSH, and URG flags, making the packet "lit up like a Christmas tree."

6. b) To synchronize sequence numbers and establish a reliable connection between two hosts

7. b) 172.16.0.0/12 — This is one of the three RFC 1918 private address ranges (along with 10.0.0.0/8 and 192.168.0.0/16). Note: 169.254.0.0/16 is link-local, not RFC 1918 private.

8. c) SYN flood — This denial-of-service attack exploits the TCP handshake by exhausting the target's connection table with half-open connections.

9. b) X-Frame-Options — This header controls whether a page can be loaded in an iframe, preventing clickjacking.

10. b) tcp.flags.syn == 1 && tcp.flags.ack == 0 — This filter shows SYN packets (connection initiation) without the ACK flag, which is useful for detecting port scans.

11. b) UDP is connectionless and the source IP can be spoofed, causing amplified responses to be sent to the victim — Because UDP does not verify the source address through a handshake, attackers can forge the source IP to direct amplified responses at victims.

12. b) BGP's trust-based design with no built-in route authentication — BGP was designed in an era of mutual trust and has no mechanism to verify that a network is authorized to announce a particular route.

13. c) DNS cache poisoning — DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that records have not been tampered with.

14. d) sr1() — The sr1() function sends a packet at Layer 3 and returns the first response packet.

15. a) SMBv1 — EternalBlue specifically targeted a buffer overflow vulnerability in Microsoft's implementation of SMBv1.

16. Layer 2 attacks are dangerous because most network security controls (firewalls, IDS/IPS, ACLs) operate at Layer 3 and above. Since Layer 2 forms the foundation of the network stack, compromising it allows an attacker to manipulate traffic before it reaches higher-layer security controls. For example, ARP spoofing can redirect traffic through the attacker's machine, bypassing firewall rules that only inspect routed traffic. Dynamic ARP Inspection (DAI) is a Layer 2 defense that validates ARP packets against the DHCP snooping binding table, dropping ARP replies that do not match known IP-to-MAC bindings.

17. SNMP with default community strings allows extensive enumeration: system hostname, OS version, uptime, network interfaces and IP addresses, routing tables, ARP tables, running processes, installed software, and connected users. This is significant because it provides a detailed map of the internal network without needing to scan each host individually. With read-write access (the "private" community string), an attacker could modify device configurations, change routing, disable security features, or create backdoor access.

18. TCP is connection-oriented (uses three-way handshake) and guarantees delivery. Attack: SYN flood exploits the handshake by sending SYN packets without completing the connection, exhausting the target's connection table. This would not work with UDP because UDP has no handshake or connection state to exhaust. UDP is connectionless and does not verify source addresses. Attack: UDP amplification uses spoofed source IPs to direct amplified responses at a victim. This would not work with TCP because the three-way handshake requires the attacker to receive and respond to the SYN-ACK, preventing source IP spoofing for established connections.

19. DNS tunneling encodes arbitrary data within DNS queries and responses. The client encodes data in the subdomain portion of DNS queries (e.g., [encoded-data].tunnel.attacker.com), and the attacker's authoritative DNS server decodes the query and responds with data encoded in DNS response records (TXT, CNAME, etc.). It is effective because DNS traffic is typically allowed through firewalls and rarely inspected deeply. Detection indicators include: (1) Unusually long DNS queries (high entropy in subdomain names) and (2) Abnormally high volume of DNS queries to a single domain, particularly to unusual record types like TXT or NULL.

20. This capture shows an ARP spoofing / man-in-the-middle attack. The attacker is 10.0.1.99 (MAC aa:bb:cc:dd:ee:99). The victims are 10.0.1.50 and the gateway 10.0.1.1. First, 10.0.1.50 legitimately resolves 10.0.1.1's MAC address. Then 10.0.1.99 sends unsolicited ARP replies to 10.0.1.50 claiming that 10.0.1.1 is at the attacker's MAC (aa:bb:cc:dd:ee:99), and also tells 10.0.1.1 that 10.0.1.50 is at the attacker's MAC. The effect: 10.0.1.50's traffic destined for the gateway will be sent to the attacker instead, allowing the attacker to intercept, modify, or drop all network traffic from the victim.