Chapter 13: Quiz — Network-Based Attacks

Test your understanding of network-based attack and defense techniques. Select the best answer for each question.

Question 1. What fundamental weakness of the ARP protocol makes ARP spoofing possible?

A) ARP uses weak encryption that can be easily broken B) ARP is stateless and unauthenticated — devices accept unsolicited replies without verification C) ARP broadcasts are limited to a single subnet, creating a trust boundary D) ARP relies on DNS for address resolution, inheriting DNS vulnerabilities

Question 2. An attacker performing ARP spoofing must enable IP forwarding on their machine. What happens if they forget this step?

A) The attack fails silently with no effect on the victim B) The victim's traffic is redirected to the attacker but not forwarded, causing a denial of service C) The attack works normally but without traffic interception D) The switch detects the attack and disables the attacker's port

Question 3. Which Layer 2 switch security feature validates ARP packets against a trusted DHCP binding table?

A) Port Security B) BPDU Guard C) Dynamic ARP Inspection (DAI) D) Storm Control

Question 4. What is SSL stripping?

A) Removing SSL/TLS certificates from a web server B) Intercepting the initial HTTP-to-HTTPS redirect and maintaining an HTTP connection with the victim while connecting to the server over HTTPS C) Exploiting vulnerabilities in the SSL/TLS protocol to decrypt traffic D) Stripping encrypted headers from HTTPS packets to reveal plaintext content

Question 5. How does HSTS (HTTP Strict Transport Security) defend against SSL stripping?

A) It encrypts all DNS queries to prevent DNS-based MITM B) It requires client certificates for all connections C) It instructs the browser to always use HTTPS for the domain, preventing HTTP downgrade D) It validates the server's SSL certificate against a pinned hash

Question 6. In the Kaminsky DNS cache poisoning attack, what makes the attack more powerful than simply poisoning a single A record?

A) It poisons the AAAA (IPv6) records as well B) It attempts to poison NS (Name Server) records to control resolution of the entire domain C) It uses TCP instead of UDP for larger payload capacity D) It targets the root DNS servers directly

Question 7. What is the primary purpose of DNS tunneling in an attack scenario?

A) To speed up DNS resolution for faster network access B) To encrypt DNS queries for privacy C) To establish a covert data exfiltration channel through DNS traffic that firewalls typically allow D) To bypass DNSSEC validation

Question 8. Which VLAN hopping technique exploits the Dynamic Trunking Protocol (DTP)?

A) Double tagging B) CAM table overflow C) Switch spoofing D) STP manipulation

Question 9. An attacker floods a switch with frames from thousands of random MAC addresses. What is the intended effect?

A) Crash the switch entirely B) Fill the CAM table so the switch degrades to hub-like behavior, broadcasting all frames C) Disable all VLANs on the switch D) Trigger the switch to enter monitoring mode

Question 10. Which lateral movement technique uses the NTLM hash directly for authentication without requiring the plaintext password?

A) Kerberoasting B) Credential stuffing C) Pass-the-hash D) Brute force

Question 11. What makes WMI-based lateral movement often preferred over PsExec?

A) WMI is faster and uses less bandwidth B) WMI leaves fewer forensic artifacts than PsExec's service creation C) WMI does not require administrative credentials D) WMI bypasses all network firewalls

Question 12. Responder is a tool that captures NTLM hashes by poisoning which name resolution protocols?

A) DNS and DHCP B) ARP and NDP C) LLMNR, NBT-NS, and MDNS D) WINS and DNS

Question 13. In the context of network segmentation, what does "East-West traffic" refer to?

A) Traffic flowing between the organization and the Internet B) Traffic flowing between internal network segments (lateral traffic) C) Traffic from the DMZ to internal servers D) Encrypted traffic within a VPN tunnel

Question 14. Which defense prevents a rogue device from becoming the root bridge in an STP attack?

A) DHCP Snooping B) BPDU Guard C) Port Security D) DAI

Question 15. During a penetration test, you perform ARP spoofing on the MedSecure admin VLAN and inadvertently capture patient health information transmitted in cleartext. What should you do FIRST?

A) Include the captured data as evidence in your penetration test report B) Immediately stop the attack, securely delete the captured data, and notify the client C) Continue the attack to gather more evidence of the vulnerability D) Contact law enforcement about the HIPAA violation

Question 16. What is a KARMA attack in the context of wireless security?

A) A denial of service attack that jams wireless frequencies B) A rogue AP that responds to all client probe requests, impersonating any requested network C) An attack that exploits WPA3 key exchange vulnerabilities D) A technique for cracking WPA2 handshakes offline

Question 17. Which of the following is the most effective defense against credential capture via network sniffing?

A) Implementing strong password policies B) Using encryption for all network communications (TLS, IPsec, SSH) C) Deploying network intrusion detection systems D) Enabling MAC address filtering on all switch ports

Answer Key

  1. B — ARP is a stateless, unauthenticated protocol. Devices accept ARP replies without requesting them and without verifying their authenticity. This fundamental design flaw, present since the protocol's creation in 1982, enables ARP spoofing attacks.

  2. B — Without IP forwarding, traffic redirected to the attacker through ARP spoofing is not forwarded to the legitimate destination. The victim loses connectivity, creating a denial-of-service condition that makes the attack obvious and disruptive.

  3. C — Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP snooping binding table, which maps IP addresses to MAC addresses from legitimate DHCP transactions. ARP packets that do not match are dropped.

  4. B — SSL stripping intercepts the initial HTTP-to-HTTPS redirect, maintaining an HTTP connection with the victim while establishing a legitimate HTTPS connection with the server. The attacker sees all traffic in plaintext while the server believes the connection is encrypted.

  5. C — HSTS instructs the browser to always use HTTPS for a domain, even if the user types HTTP. Once HSTS is set (or preloaded), the browser will never make an HTTP request to that domain, making SSL stripping impossible for that site.

  6. B — The Kaminsky attack attempts to poison NS records, giving the attacker authoritative control over an entire domain's resolution—not just a single host. This means all subdomains and records for that domain would resolve to attacker-controlled IPs.

  7. C — DNS tunneling encodes data within DNS queries and responses to create a covert communication channel. Because DNS traffic is almost universally allowed through firewalls, it provides an effective exfiltration path even from highly restricted networks.

  8. C — Switch spoofing sends DTP negotiation frames to trick the switch into establishing a trunk link, giving the attacker access to all VLANs. Double tagging exploits native VLAN processing and does not use DTP.

  9. B — CAM table overflow (MAC flooding) fills the switch's MAC address table to capacity. When full, the switch cannot learn new MAC-to-port mappings and falls back to flooding all frames to all ports, effectively becoming a hub and allowing the attacker to sniff all traffic.

  10. C — Pass-the-hash (PtH) uses the NTLM hash directly in the NTLM challenge-response protocol. Since the protocol only requires knowledge of the hash (not the plaintext), the attacker can authenticate without cracking the password.

  11. B — PsExec creates a temporary Windows service on the target, generating Service Creation events (Event ID 7045) and other artifacts. WMI-based execution uses the existing WMI service and leaves fewer traces, making it harder to detect forensically.

  12. C — Responder poisons LLMNR (Link-Local Multicast Name Resolution), NBT-NS (NetBIOS Name Service), and MDNS (Multicast DNS) requests. When a Windows client cannot resolve a name via DNS, it falls back to these protocols, which Responder intercepts.

  13. B — East-West traffic flows laterally between internal network segments, as opposed to North-South traffic which flows between the internal network and the Internet. Monitoring East-West traffic is essential for detecting lateral movement.

  14. B — BPDU Guard protects against STP attacks by disabling a port that receives Bridge Protocol Data Units (BPDUs). Since access ports should never receive BPDUs, any BPDU arrival indicates a potential STP manipulation attack.

  15. B — You should immediately stop the attack, securely delete any captured patient data, and notify the client's designated contact. Patient health information is protected under HIPAA, and retaining or including it unnecessarily in reports could constitute a violation. The vulnerability should still be reported, but without the actual patient data.

  16. B — A KARMA attack uses a rogue AP that responds to all probe requests from client devices, impersonating whatever network the client is seeking. This causes victims to automatically connect to the attacker's AP, establishing a wireless MITM position.

  17. B — Encryption renders captured traffic unreadable. TLS for web traffic, IPsec for network communications, and SSH for remote administration ensure that even if traffic is intercepted via MITM attacks, the content remains protected. Other defenses help but do not prevent capture of already-transmitted cleartext.