SANS GISCP and GIAC Full Solution Pack 2022-2023
with complete solution
Ack Piggybacking
The Practice of sending an ACK inside another packet going to the same destination
Address resolution protocol
Protocol for mapping an IP address to a physical machine address that is recognized on
the local network.
A table, usually called the ARP cache, is used to maintain a correlation between each
MAC and its corresponding IP address
What are the five threat vectors?
Outside attack from network
Outsider attack from telephone
Insider attack from local network
insider attack from local system
attack from malicious code
What are some external threat concerns?
-Malicious code might execute destructive overwrite to hard disks
-Malicious mas mailing code might expose sensitive information to the internet
- web server compromise might expose organization to ridicule
- Web server compromise might expose customer private data
What are some ways to bypass firewall protections?
- Worms and Wireless
- modems
- tunnel anything through HTTP
- social engineering
What is social engineering?
- attempt to manipulate or trick a person into providing information or access
- bypass network security by exploiting humans
- vector is often outside attack by telephone or visitor inside
What is Hping?
- a TCP version of ping
- sends custom TCP packets to a host and listens for replies
- enables port scanning and spoofing simultaneously
What is a group?
A group means multiple iterations won't matter. If you encrypt with a key, then re-
encrypt, it's the same as using one key.
What is a port scan?
- common backdoor to open a port
- port scan scans for open ports on remote host
- scans 0 - 65,535 twice. TCP and UDP
What is nmap?
Network scanner.
What are nmap scanning techniques?
,- Full open
- half open (stealth scan)
- UDP
- Ping
What is network stumbler?
- free windows based wireless scanner for 802.1b
- detects access point settings
- supports GSP integration
- identifies networks as encrypted or unencrypted
What is Kismet?
- Free linux WLAN analysis tool
- completely passive, cannot be detected
- supports advanced GPS integration and mapping features
- used for wardriving, WLAN vulerability assessment
What is Wardriving?
Going around with equipment to detect wireless networks
What is War Dialing?
- trying to ID modems in a telephone exchange that may be susceptible to compromise
What are some Pen Test techniques?
- War dialing
- war driving
- Sniffing
- eavesdropping
- dumpster diving
- social engineering
What is IDS?
- intrusion detection system
- it reports attacks against monitored systems/networks
What is IDS not?
- not a replacement for firewalls, hardening, strong policies, or other DiD methods
- low maintenance
- inexpensive
What are the four types of events reported by IDS?
- true positive
- false positive
- true negative
- false negative
How does IDS signature analysis work?
- rules indicate criteria in packets that represent events of interest
- rules are applied to packets as they are received
- alerts are created when matches are found
How does anomaly analysis work?
- flags anomalous conditions in traffic on the network
- requires understanding on what is normal
- bases good traffic as a baseline
What is deep packet inspection?
,- slow, requires stateful data tracking
- inspects all fields, including variable-length fields
What is shallow packet inspection?
- fast, with little fidelity
- examines header information and limited payload data
What is Honeyd?
- low interaction production honeypot
- network daemon that can simulate other hosts
- each host can appear as a different OS
What is a netcat listener?
- simplest form of a research honeypot
- useful in identifying nature of TCP scans, allows attacker to complete 3-way
handshake
- listens on a defined port, logs incoming requests for analysis
What are some disadvantages of honeypots?
- improper deployment can increase attack risk - if production systems aren't sufficiently
protected, they can be vulnerable from a honeypot
- legal liability
What are some honeypot advantages?
- provides insight into the tactics, motives, and attacker tools
What is a honeypot?
- a system resource that has no legitimate purpose or reason for someone to connect to
it
- its purpose is to draw in attackers to understand how they break into a system
What is a proxy or application gateway?
- maintains complete TCP connection state and sequencing through 2 connections
- address translation built-in by virtue of second connection above
What is a stateful firewall?
Stateful firewalls maintain state of traffic flows
What is No State Inspection ACK flag set?
packet filter firewalls rely on TCP flags to determine connection state. Attacker can send
ACK packets only to bypass firewall.
What is IDS data normalization?
- used by IDS for a baseline before analysis
- attackers will try to de-normalize traffic to evade detection
- IDS will normalize data for understood protocols
What are NIDS advantages?
- provides insight into traffic on the network
- help detect problems with network operations
- provides auditing for other security measures
What are NIDS challenges?
- deployment challenges including topology and access limitations
- analyzing encrypted traffic
- quantity vs. quality of signatures
- performance limitations with extensive analysis techniques
- very costly for proper management
, What are some NIDS topology limitations?
- switches networks make it difficult to monitor traffic in promiscuous mode
- topology must be able to support traffic aggregation for monitoring
What is Snort?
- open source tool for monitoring
- can be used as a NIDS
- has quick updates and flexibility for custom rules
What is a stateless packet filter?
A low end firewall that can quickly be deployed using existing hardware. They examine
packets themselves with no content.
What are some firewall benefits?
- protects internal/external systems from attack
- filters communications based on content
- performs NAT
- encrypts communications for VPN
- logging to aid in intrusion detection
What are some firewall challenges?
- application layer attacks may get through
- dialup, VPN, extranet connections may bypass firewalls
What is a firewall?
An appliance that controls access between public internet and a companies private
network, or between a PC NIC and the rest of the PC.
What is a rootkit?
A cracking tool inserted into the OS that allows the attacker to do as they please.
What is alteration of code?
When someone has compromised the integrity of data or a program. Allows attackers to
create backdoors.
What are race conditions?
A time of check/time of use attack that exploits the difference in between when a
security control was applied and the time the service was used.
What is a browsing attack?
Simple attack done by simply browsing available information that's allowed on a local
network.
What does remote maintenance do?
Allows admins to remotely access a system for troubleshooting.
* VNC
* GoToMyPc
* PC Anywhere
What is brute force?
An attempt to gain access by bombarding it with guesses until the password is found.
What is a buffer overflow?
Poor programming without error checking can allow commands to be run in an input
field. This can point to a command further in the buffer that will execute the attacker's
payload.
What is a DDoS attack?
with complete solution
Ack Piggybacking
The Practice of sending an ACK inside another packet going to the same destination
Address resolution protocol
Protocol for mapping an IP address to a physical machine address that is recognized on
the local network.
A table, usually called the ARP cache, is used to maintain a correlation between each
MAC and its corresponding IP address
What are the five threat vectors?
Outside attack from network
Outsider attack from telephone
Insider attack from local network
insider attack from local system
attack from malicious code
What are some external threat concerns?
-Malicious code might execute destructive overwrite to hard disks
-Malicious mas mailing code might expose sensitive information to the internet
- web server compromise might expose organization to ridicule
- Web server compromise might expose customer private data
What are some ways to bypass firewall protections?
- Worms and Wireless
- modems
- tunnel anything through HTTP
- social engineering
What is social engineering?
- attempt to manipulate or trick a person into providing information or access
- bypass network security by exploiting humans
- vector is often outside attack by telephone or visitor inside
What is Hping?
- a TCP version of ping
- sends custom TCP packets to a host and listens for replies
- enables port scanning and spoofing simultaneously
What is a group?
A group means multiple iterations won't matter. If you encrypt with a key, then re-
encrypt, it's the same as using one key.
What is a port scan?
- common backdoor to open a port
- port scan scans for open ports on remote host
- scans 0 - 65,535 twice. TCP and UDP
What is nmap?
Network scanner.
What are nmap scanning techniques?
,- Full open
- half open (stealth scan)
- UDP
- Ping
What is network stumbler?
- free windows based wireless scanner for 802.1b
- detects access point settings
- supports GSP integration
- identifies networks as encrypted or unencrypted
What is Kismet?
- Free linux WLAN analysis tool
- completely passive, cannot be detected
- supports advanced GPS integration and mapping features
- used for wardriving, WLAN vulerability assessment
What is Wardriving?
Going around with equipment to detect wireless networks
What is War Dialing?
- trying to ID modems in a telephone exchange that may be susceptible to compromise
What are some Pen Test techniques?
- War dialing
- war driving
- Sniffing
- eavesdropping
- dumpster diving
- social engineering
What is IDS?
- intrusion detection system
- it reports attacks against monitored systems/networks
What is IDS not?
- not a replacement for firewalls, hardening, strong policies, or other DiD methods
- low maintenance
- inexpensive
What are the four types of events reported by IDS?
- true positive
- false positive
- true negative
- false negative
How does IDS signature analysis work?
- rules indicate criteria in packets that represent events of interest
- rules are applied to packets as they are received
- alerts are created when matches are found
How does anomaly analysis work?
- flags anomalous conditions in traffic on the network
- requires understanding on what is normal
- bases good traffic as a baseline
What is deep packet inspection?
,- slow, requires stateful data tracking
- inspects all fields, including variable-length fields
What is shallow packet inspection?
- fast, with little fidelity
- examines header information and limited payload data
What is Honeyd?
- low interaction production honeypot
- network daemon that can simulate other hosts
- each host can appear as a different OS
What is a netcat listener?
- simplest form of a research honeypot
- useful in identifying nature of TCP scans, allows attacker to complete 3-way
handshake
- listens on a defined port, logs incoming requests for analysis
What are some disadvantages of honeypots?
- improper deployment can increase attack risk - if production systems aren't sufficiently
protected, they can be vulnerable from a honeypot
- legal liability
What are some honeypot advantages?
- provides insight into the tactics, motives, and attacker tools
What is a honeypot?
- a system resource that has no legitimate purpose or reason for someone to connect to
it
- its purpose is to draw in attackers to understand how they break into a system
What is a proxy or application gateway?
- maintains complete TCP connection state and sequencing through 2 connections
- address translation built-in by virtue of second connection above
What is a stateful firewall?
Stateful firewalls maintain state of traffic flows
What is No State Inspection ACK flag set?
packet filter firewalls rely on TCP flags to determine connection state. Attacker can send
ACK packets only to bypass firewall.
What is IDS data normalization?
- used by IDS for a baseline before analysis
- attackers will try to de-normalize traffic to evade detection
- IDS will normalize data for understood protocols
What are NIDS advantages?
- provides insight into traffic on the network
- help detect problems with network operations
- provides auditing for other security measures
What are NIDS challenges?
- deployment challenges including topology and access limitations
- analyzing encrypted traffic
- quantity vs. quality of signatures
- performance limitations with extensive analysis techniques
- very costly for proper management
, What are some NIDS topology limitations?
- switches networks make it difficult to monitor traffic in promiscuous mode
- topology must be able to support traffic aggregation for monitoring
What is Snort?
- open source tool for monitoring
- can be used as a NIDS
- has quick updates and flexibility for custom rules
What is a stateless packet filter?
A low end firewall that can quickly be deployed using existing hardware. They examine
packets themselves with no content.
What are some firewall benefits?
- protects internal/external systems from attack
- filters communications based on content
- performs NAT
- encrypts communications for VPN
- logging to aid in intrusion detection
What are some firewall challenges?
- application layer attacks may get through
- dialup, VPN, extranet connections may bypass firewalls
What is a firewall?
An appliance that controls access between public internet and a companies private
network, or between a PC NIC and the rest of the PC.
What is a rootkit?
A cracking tool inserted into the OS that allows the attacker to do as they please.
What is alteration of code?
When someone has compromised the integrity of data or a program. Allows attackers to
create backdoors.
What are race conditions?
A time of check/time of use attack that exploits the difference in between when a
security control was applied and the time the service was used.
What is a browsing attack?
Simple attack done by simply browsing available information that's allowed on a local
network.
What does remote maintenance do?
Allows admins to remotely access a system for troubleshooting.
* VNC
* GoToMyPc
* PC Anywhere
What is brute force?
An attempt to gain access by bombarding it with guesses until the password is found.
What is a buffer overflow?
Poor programming without error checking can allow commands to be run in an input
field. This can point to a command further in the buffer that will execute the attacker's
payload.
What is a DDoS attack?
