Exam 312-50v12 topic 1 question 228 discussion

Option B, MAC flooding to overwhelm the switch's memory, is the most plausible technique that an attacker might use in a switched network environment to enable traffic sniffing broadly across the network. This method effectively makes the switch behave more like a hub, broadcasting traffic to all connected devices and thus enabling a sniffer to capture traffic not originally intended for the attacker’s connected device.

I would've gone with C/D because it makes more sense, however we have more packages than usual and C would fail because in sniffing you don't generate pakcages...you just inspect them. D...well, we see activity generated so it cannot be

B: MAC flooding MAC flooding makes use of this limitation to bombard switches with fake MAC addresses until the switches can no longer keep up. Once this happens to a switch, it will enter fail-open mode, wherein it starts acting as a hub by broadcasting packets to all the ports on the switch.

The correct is B, MAC flooding, the keyword is "Which technique"

MAC flooding for switch environment.

according to the CEHv12 pg 1214 we have pasive n active but been an attack we see more packets flooded so we eliminate the possibility of it been a trajon horse "passively monitoring" to actively sniffing sothe ANSWER becomes B

I read once again the book: To summarize the types of sniffing: passive sniffing does not send any packets; it only monitors the packets sent by others. Active sniffing involves sending out multiple network probes to identify access points. The following is a list of different active sniffing techniques: ▪ MAC flooding - switch is vulnerable to active sniffing only. - Trojan horse is a passive sniffing methods Module 08 Page 1214

The key here is unusual packet captures. MAC flooding involves sending a large number of spoofed MAC addresses to a switch, causing it to enter into a state where it forwards traffic to all ports, effectively turning it into a hub-like device. This could result in a flood of traffic that might be detected as unusual by network monitoring tools.

B. The attacker might be implementing MAC flooding to overwhelm the switch's memory. MAC flooding force the switch into a less secure fail-open mode.

Using a Trojan horse: Most Trojans have in-built sniffing capability. An attacker can install these on a victim’s machine to compromise it. After compromising the victim’s machine, the attacker can install a packet sniffer and perform sniffing. Most modern networks use switches instead of hubs. A switch eliminates the risk of passive sniffing. However, a switch is still vulnerable to active sniffing. Note: Passive sniffing provides significant stealth advantages over active sniffing - Module 08 Page 1214

Important thing to note here is that in the question they say you have "Discovered a series of packet captures which seem unusual" it's not saying that the Security staff have run those network captures but that they have found files of packet captures having been run by a presumably unknown party. I would think one of the only real ways that you are going to have packet capture files left on PC's on your network is if those PCs have had capturing software installed on them covertly by a Trojan virus and that software is now running scans from the infected PCs. Once you understand that the Security staff is finding network scanner files and is not the one doing the scanning, the Trojan horse answer is the only one which makes sense here.

Important thing to note here is that in the question they say you have "Discovered a series of packet captures which seem unusual" it's not saying that the Security staff have run those network captures but that they have found files of packet captures having been run by a presumably unknown party. I would think one of the only real ways that you are going to have packet capture files left on PC's on your network is if those PCs have had capturing software installed on them covertly by a Trojan virus and that software is now running scans from the infected PCs. Once you understand that the Security staff is finding network scanner files and is not the one doing the scanning, the Trojan horse answer is the only one which makes sense here.

Ethical hacking specialists could you please check if this approach is correct"