nerdexam
GIAC

GCIH · Question #460

Which technique allows an attacker logged into a computer attached to switch port 8 to see traffic sent to hosts on other ports?

The correct answer is A. Launching a CAM table flood against the switch. A CAM table flood causes a switch to fail open and broadcast all traffic to every port, allowing the attacker on port 8 to capture frames destined for other hosts.

Reconnaissance, Scanning, and Enumeration

Question

Which technique allows an attacker logged into a computer attached to switch port 8 to see traffic sent to hosts on other ports?

Exhibit

GCIH question #460 exhibit

Options

  • ALaunching a CAM table flood against the switch
  • BReleasing and renewing the computer's IP address
  • CPoisoning the DNS cache on the switch
  • DPutting the computer's network card into promiscuous mode

How the community answered

(47 responses)
  • A
    94% (44)
  • C
    2% (1)
  • D
    4% (2)

Why each option

A CAM table flood causes a switch to fail open and broadcast all traffic to every port, allowing the attacker on port 8 to capture frames destined for other hosts.

ALaunching a CAM table flood against the switchCorrect

A switch maintains a Content Addressable Memory (CAM) table mapping MAC addresses to ports. When an attacker floods the switch with thousands of spoofed MAC addresses, the CAM table overflows and the switch can no longer make forwarding decisions, so it broadcasts all frames out every port - effectively behaving like a hub. This allows the attacker on port 8 to capture traffic intended for all other ports.

BReleasing and renewing the computer's IP address

Releasing and renewing a DHCP lease only changes the host's IP address and has no effect on how the switch forwards Ethernet frames to other ports.

CPoisoning the DNS cache on the switch

Switches do not maintain DNS caches - DNS cache poisoning targets resolvers and clients to redirect name resolution, not switch forwarding behavior.

DPutting the computer's network card into promiscuous mode

Promiscuous mode configures the NIC to accept all frames it receives, but without flooding the CAM table the switch still delivers only relevant frames to port 8, so there is nothing extra to capture.

Concept tested: CAM table overflow attack enabling traffic sniffing

Source: https://www.cisco.com/c/en/us/support/docs/lan-switching/ethernet/10601-13.html

Topics

#CAM table flood#MAC flooding#switch security#traffic interception

Community Discussion

No community discussion yet for this question.

Full GCIH Practice