CompTIA Security+ Exam Notes

CompTIA Security+ Exam Notes
Let Us Help You Pass

Friday, September 5, 2025

MAC Flooding Attacks: How They Work and How to Prevent Them

 MAC Flooding

MAC flooding is a type of network attack that targets switches in a local area network (LAN). It aims to overwhelm the switch’s MAC address table, causing it to behave like a hub and broadcast traffic to all ports, which can lead to data interception and network degradation.

Understanding How Switches Work
  • Switches maintain a MAC address table (also called a CAM table) that maps MAC addresses to specific ports.
  • When a frame arrives, the switch checks the destination MAC address and forwards it only to the correct port.
  • This makes switches more secure and efficient than hubs.
What Is MAC Flooding?

MAC flooding involves sending a large number of frames with fake or random source MAC addresses to a switch. The goal is to populate the MAC address table so that the switch can no longer learn new addresses.

When the table is full:
  • The switch enters a fail-open mode.
  • It starts broadcasting all incoming traffic to every port.
  • This allows an attacker connected to any port to capture traffic not meant for them using tools like Wireshark.
Goals of MAC Flooding
1. Data Interception
  • Gain access to sensitive data by forcing the switch to broadcast.
2. Network Disruption
  • Overload the switch, causing performance issues.
3. Preparation for Further Attacks
  • Set the stage for Man-in-the-Middle (MitM) or session hijacking.
How It’s Done
Attackers use tools like:
  • macof (part of the dsniff suite)
  • Yersinia
  • Scapy (Python-based packet crafting)
These tools generate thousands of frames with spoofed MAC addresses rapidly.

Detection and Prevention

Detection
  • Unusual traffic patterns or high volume of MAC address changes.
  • Switch logs show frequent MAC table updates.
  • IDS/IPS systems detect abnormal behavior.
Prevention
1. Port Security
  • Limit the number of MAC addresses per port.
  • Configure sticky MAC addresses.
2. MAC Address Table Aging
  • Adjust aging time to reduce vulnerability window.
3. 802.1X Authentication
  • Authenticate devices before allowing network access.
4. VLAN Segmentation
  • Isolate sensitive devices from general access.
5. Monitoring Tools
  • Use SNMP, NetFlow, or security appliances to monitor switch behavior.

Posted by at No comments:

ARP Spoofing Explained: How Attackers Hijack Network Traffic

 ARP Poisoning

ARP poisoning (also known as ARP spoofing) is a type of cyberattack that exploits the Address Resolution Protocol (ARP), which is used to map IP addresses to MAC (Media Access Control) addresses in a local network. Here's a detailed breakdown of how it works, why it's dangerous, and how it's mitigated:

How ARP Works

In a local network:
  • Devices communicate using IP addresses.
  • To send data to another device, the sender needs the recipient's MAC address.
  • ARP resolves this by sending a broadcast message like:
  • "Who has IP 192.168.1.1? Tell 192.168.1.100"
  • The device with that IP replies with its MAC address.
  • The sender stores this mapping in its ARP cache.
What Is ARP Poisoning?
ARP poisoning is when an attacker sends fake ARP messages to a network. These messages falsely associate the attacker's MAC address with the IP address of another device (like the gateway or another host).

Example:
  • Attacker sends a spoofed ARP reply:
  • "192.168.1.1 is at AA:AA:AA:AA:AA:AA" (attacker’s MAC)
  • Victim updates its ARP cache with this incorrect mapping.
  • Now, traffic meant for 192.168.1.1 goes to the attacker.
Goals of ARP Poisoning
1. Man-in-the-Middle (MitM) Attack
  • Attacker intercepts and possibly alters communication between two devices.
2. Data Theft
  • Sensitive information like login credentials can be captured.
Session Hijacking
  • An attacker can take over active sessions.
Denial of Service (DoS)
  • Redirecting traffic to a non-existent MAC address can disrupt communication.
How It’s Done

Attackers use tools like:
  • Ettercap
  • Cain & Abel
  • BetterCAP
  • arpspoof
These tools automate the sending of spoofed ARP packets to poison caches across the network.

Detection and Prevention

Detection
  • Unusual ARP traffic or frequent ARP replies.
  • Duplicate IP addresses with different MACs.
  • Tools like:
    • Wireshark (packet analysis)
    • ARPwatch (monitoring ARP activity)
Prevention
1. Static ARP Entries
  • Manually configure IP-MAC mappings (not scalable).
2. Packet Filtering
  • Use firewalls to block spoofed packets.
3. Encryption
  • Use HTTPS and VPNs to protect data even if intercepted.
4. Network Segmentation
  • Limit broadcast domains.
5. Dynamic ARP Inspection (DAI)
  • Available on managed switches; validates ARP packets against the DHCP snooping database.

Posted by at No comments:

Thursday, September 4, 2025

Subnetting Question 1 for Sept. 4th

 Subnetting Question 1 for Sept. 4th, 2025

Video Explanation in the next post

Posted by at No comments:

Subnetting Question 1 Sept 4th, 2025

Subnetting Question 1 Sept. 4th, 2025



Posted by at No comments:

Collapsed Core Architecture: A Simplified Network Design for Smaller Networks

 Collapsed Core Network

A collapsed core network (also known as a collapsed backbone or collapsed core architecture) is a simplified version of a traditional enterprise network design. It merges the core and distribution layers of the network into a single layer, typically for smaller or medium-sized networks where a complete three-tier architecture is unnecessary.

Traditional Three-Tier Network Architecture:
Access Layer – Connects end devices like PCs, printers, and phones.
Distribution Layer – Aggregates access layer switches, applies policies, and routes between VLANs.
Core Layer – High-speed backbone that connects distribution layers and provides fast transport across the network.

Collapsed Core Architecture:
In a collapsed core, the core and distribution layers are combined into a single layer, typically using high-performance switches or routers.

Key Characteristics:
  • Simplified design – Fewer devices and layers to manage.
  • Cost-effective – Reduces hardware and operational costs.
  • Easier management – Less complexity in configuration and troubleshooting.
  • Suitable for smaller networks – Ideal for small campuses, branch offices, or SMBs.
Advantages:
  • Lower latency due to fewer hops.
  • Reduced cost in hardware and maintenance.
  • Simplified troubleshooting and network design.
  • Scalability for moderate growth.
Considerations:
  • Limited scalability compared to full three-tier designs.
  • Single point of failure if redundancy isn’t properly implemented.
  • Performance bottlenecks occur if the collapsed core device is overloaded.



Posted by at No comments:

Wednesday, September 3, 2025

Understanding the 'show interface' Command on Cisco Devices

 Show Interface Command

The show interface command is a powerful diagnostic tool used primarily on Cisco network devices (like routers and switches) to display detailed information about the status and statistics of network interfaces.

Purpose of show interface

It helps network administrators:
  • Monitor interface status (up/down)
  • Check for errors or performance issues
  • View traffic statistics
  • Diagnose connectivity problems
Basic Syntax

1 show interface [interface-id]
2

interface-id is the name of the interface, such as GigabitEthernet0/1, FastEthernet0/0, or Serial0/0/0.

Example Output

1 Router# show interface GigabitEthernet0/1
2 GigabitEthernet0/1 is up, line protocol is up
3 Hardware is iGbE, address is 0012.7f8b.1c01 (bia 0012.7f8b.1c01)
4 MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
5 reliability 255/255, txload 1/255, rxload 1/255
6 Encapsulation ARPA, loopback not set
7 Keepalive set (10 sec)
8 Full Duplex, 1000Mbps, media type is RJ45
9 output flow-control is XON, input flow-control is XON
10 ARP type: ARPA, ARP Timeout 04:00:00
11 Last input 00:00:01, output 00:00:02, output hang never
12 Last clearing of "show interface" counters never
13 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
14 Queueing strategy: fifo
15 5 minute input rate 1000 bits/sec, 2 packets/sec
16 5 minute output rate 2000 bits/sec, 3 packets/sec
17      123456 packets input, 987654 bytes
18       0 input errors, O CRC, Ø frame, O overrun, 0 ignored
19       234567 packets output, 1234567 bytes
20       0 output errors, O collisions, O interface resets
21

Key Fields Explained


Common Use Cases
  • Troubleshooting: Identify errors, drops, or misconfigurations.
  • Performance Monitoring: Check bandwidth usage and traffic rates.
  • Hardware Checks: Verify cable connections and interface status.

Posted by at No comments:

Tuesday, September 2, 2025

Understanding TACACS+: Features, Operation, and Benefits

 TACACS+ (Terminal Access Controller Access-Control System Plus)

TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol developed by Cisco that provides centralized authentication, authorization, and accounting (AAA) for users who access network devices. It is widely used in enterprise environments to manage access to routers, switches, firewalls, and other network infrastructure.

Here’s a detailed breakdown of TACACS+:

What Is TACACS+?
TACACS+ is an AAA protocol that separates the three functions—Authentication, Authorization, and Accounting—into distinct processes. It communicates between a network access server (NAS) and a centralized TACACS+ server.

It is an enhancement of the original TACACS and XTACACS protocols, offering more robust security and flexibility.

Key Features
1. Full AAA Support:
  • Authentication: Verifies user identity (e.g., username/password).
  • Authorization: Determines what actions the user is allowed to perform.
  • Accounting: Logs user activities for auditing and billing.
2. Encryption:
  • TACACS+ encrypts the entire payload of the packet (not just the password, like RADIUS), providing better security.
3. TCP-Based:
  • Uses TCP (port 49 by default), which offers reliable delivery compared to RADIUS, which uses UDP.
4. Command Authorization:
  • Allows granular control over which commands a user can execute on a device.
5. Modular Design:
  • Each AAA function can be handled independently, giving administrators more control.
How TACACS+ Works
1. Authentication Process
  • A user attempts to access a network device.
  • The device (NAS) sends the credentials to the TACACS+ server.
  • The server verifies the credentials and responds with success or failure.
2. Authorization Process
  • After authentication, the server checks what the user is allowed to do.
  • It sends back a list of permitted commands or access levels.
3. Accounting Process
  • The server logs session details, including login time, commands executed, and logout time.
  • These logs can be used for auditing and compliance purposes.
TACACS+ vs RADIUS


Use Cases
  • Network Device Management: Control who can access routers/switches and what they can do.
  • Auditing and Compliance: Track user activity for security and regulatory purposes.
  • Role-Based Access Control: Assign different permissions to admins, operators, and auditors.
Benefits
  • Enhanced security through full encryption.
  • Fine-grained access control.
  • Centralized management of user access.
  • Reliable communication via TCP.

Posted by at No comments:
Subscribe to: Posts (Atom)