1. Which of the following is not true regarding SSIDs?
A. The SSID is broadcast by APs in the network, unless otherwise configured.
B. If the SSID changes, all clients must update to the new SSID to communicate.
C. Turning off the SSID broadcast ensures only authorized clients, who know the SSID, can connect.
D. The SSID serves to identify wireless networks.
E. SSIDs are case sensitive.
C. The intent of a Service Set Identifier (SSID) is solely to identify one wireless network from another. It is not designed, nor should it be relied on, as a security feature. Although you can turn off broadcasting of the SSID, just remember that it is sent in the header of every single packet the AP sends anyway—not to mention by every single device on the network as well. So, while you did make it a little harder to find (using a packet sniffer instead of just looking at “available networks” in wireless properties), and will frustrate the most lazy among us pen testers (or your pesky neighbors looking for free Internet access), it doesn’t really keep anyone out.
A, B, D, and E are incorrect choices because these are true statements. SSIDs are case-sensitive, 32-character strings that are designed to be broadcast. They’re identifiers for networks, with their entire purpose on the planet being to provide a means for clients to differentiate between wireless networks they are capable of connecting to. So, unless you tell the access point (AP) not to, it will gladly broadcast the SSID for easy network discovery by potential clients. The SSID will also need to be updated on all clients if you change it on the AP, which should make perfect sense: If you change it on an AP and don’t tell your clients, they will consistently send packets out with bad headers, pointing to a network that no longer exists.
2. Which of the following correctly describe the war chalk shown here? (Choose all that apply.)
A. The nearby access point is secured via WPA2.
B. The nearby access point uses MAC filtering.
C. The non-broadcasted SSID is Guest_AnyBiz.
D. The network access only provides guest-level resource access.
A, B, and C. War chalking is one of those items you’ll probably never come across in the real world, but you’ll definitely see on your exam. A war chalk is a symbol drawn somewhere in a public place indicating the presence of a wireless network. They indicate free networks, hidden SSIDs, pay-for-use hotspots, and which encryption technique is in use. A basic war chalk involves two parentheses back to back with other variables added to tell the whole story. A key through the middle indicates a restricted Wi-Fi spot, and the lock icon indicates MAC filtering. Any wording around the symbol indicates the SSID, encryption password, or even the administrative password for the access point.
D is incorrect because there is no indication in this war chalk of resource access levels. You may see questions on your exam with all sorts of stuff written around the symbol. If the answer you’re reading isn’t readily apparent in the wording around the symbol (that is, clearly spelled out), then don’t select it. More often than not, wording will indicate an SSID or password. Every so often it will indicate other things—such as resource access or the actual make/model of the access point, but those should be easy to spot.
3. Which wireless technology provides NIST FIPS 140-2 compliant encryption?
A. WPA
B. WPA2
C. WAP
D. WEP
B. Wi-Fi Protected Access, version 2, provides encryption using AES, complying with National Institute of Standards and Technology (NIST) FIPS 140-2 requirements. It’s an improvement over WPA by using AES instead of RC4, CRC, and “Michael algorithm” (an integrity check procedure). Another item you may get quizzed on concerning WPA2 is different use cases: WPA2 Personal and WPA2 Enterprise. The major difference between the two is authentication. Personal uses a pre-shared key, whereas Enterprise makes use of a centralized client authentication method (assigning login credentials to users and using a RADIUS server).
A is incorrect because WPA does not use AES for encryption. Instead, it uses CRC, RC4, and Michael algorithm.
C is incorrect because the acronym WAP stands for wireless access point and is, therefore, not a valid encryption method.
D is incorrect because Wireless Equivalent Protocol (WEP) isn’t technically designed for encryption at all. It was intended to provide the same amount of protection one might have plugging directly into a network—in short, nothing at all.
4. Which of the following uses a 48-bit Initialization Vector? (Choose all that apply.)
A. WEP
B. WPA
C. WPA2
D. WEP2
B and C. One of the improvements from WEP to WPA involved extending the Initialization Vector (IV) to 48 bits from 24 bits. An Initialization Vector (IV) provides for confidentiality and integrity. Wireless encryption algorithms use it to calculate an integrity check value (ICV), appending it to the end of the data payload. The IV is then combined with a key to be input into an algorithm (RC4 for WEP, AES for WPA2). Therefore, because the length of an IV determines the total number of potential random values that can possibly be created for encryption purposes, doubling to 48 bits increased overall security. By itself, this didn’t answer all security problems—it only meant it took a little longer to capture enough IV packets to crack the code—however, combined with other steps it did provide for better security.
A is incorrect because WEP uses a 24-bit IV. In WEP, this meant there were approximately 16 million unique IV values. Although this may seem like a large number, it’s really not—a determined hacker can capture enough IVs in a brute-force attack in a matter of hours to crack the key.
D is incorrect because there is no such thing as WEP2.
5. Which of the following are true statements? (Choose all that apply.)
A. WEP uses shared key encryption with TKIP.
B. WEP uses shared key encryption with RC4.
C. WPA2 uses shared key encryption with RC4.
D. WPA2 uses TKIP and AES encryption.
B and D. WEP uses a 24-bit Initialization Vector and RC4 to “encrypt” data transmissions, although saying that makes me shake in disgust as it’s really a misnomer. WEP was designed as basic encryption merely to simulate the “security” of being on a wired network—hence, the “equivalent” part in Wired Equivalent Privacy. It was never intended as true encryption protection. WPA was an improvement on two fronts. First, the shared key portion of encryption was greatly enhanced by the use of Temporal Key Integrity Protocol (TKIP). In short, the key used to encrypt data was made temporary in nature, and is swapped out every 10,000 packets or so. Additionally, WPA2 uses NIST-approved encryption with AES as the algorithm of choice.
A is incorrect because WEP does not use TKIP. Along with the same key being used to encrypt and decrypt (shared key), it’s not changed and remains throughout the communication process—which is part of the reason it’s so easy to crack.
C is incorrect because WPA2 does not use RC4 as an encryption algorithm.
6. Which of the following best describes the “evil twin” wireless hacking attack?
A. An attacker sets up a client machine using the same MAC as an authorized user.
B. An attacker connects using the same username and password as an authorized user.
C. An attacker sets up an access point inside the network range for clients to connect to.
D. An attacker sets up an authentication server on the wireless network.
C. The “evil twin” attack is one involving a rogue access point. The idea is pretty simple: Set up your own access point (AP) somewhere—even outside the building if you want, so long as it’s within range for clients—and have users connect to your AP instead of the legitimate target’s network. If a user looks at available wireless networks and connects to yours (because the signal strength is better, yours is free whereas the other is not, and so on), you effectively have control over all their network traffic. For example, you could configure completely new DNS servers and have your AP configure those addresses within the DHCP address offering, routing users to fake websites you’ve created to steal authentication information. Not to mention you could funnel everything through a packet capture, or shut off access to anyone you felt like virtually neutering for the day. In real-world use, these are set up mostly for sniffing purposes—waiting for some juicy bit of authentication traffic to steal.
Keep in mind, though, the real drawback in this attack is it’s fairly easy to spot, and you may run a substantial risk of discovery if the security staff is doing its job. Tools such as NetStumbler, NetSurveyor, Kismet, and a host of others can help ferret out these rogue APs.
A, B, and D are all incorrect because they do not reflect an evil twin attack. MAC spoofing is not defined as evil twin (it may work as a way into APs that are using MAC filtering, but it’s not called evil twin). User accounts and authentication, although definitely important throughout the network, even on the wireless side, have nothing to do with evil twin.
7. During an outbrief of a pen test, you share successes your team has had against the target’s wireless network. The client asks for an explanation of the results, stating directional antennas for the access points were strategically placed to provide coverage for the building instead of omnidirectional antennas. Which of the following statements provides the correct response?
A. Positioning and types of antennas are irrelevant.
B. Directional antennas only provide for weak encryption of signal.
C. Positioning of the antennas is irrelevant unless 802.11n is the standard chosen.
D. Wireless signals can be detected from miles away; therefore, this step alone will not secure the network.
D. Also sometimes called a yagi antenna (all yagi antennas are directional, but not all directional antennas are yagi, so don’t get confused), a directional antenna focuses the signal in a specific direction, which greatly increases signal strength and distance. The benefit in using them should be fairly obvious (controlling the signal’s direction as opposed to using an omnidirectional antenna); however, it interjects its own problems. Because the signal is now greatly increased in strength and distance, you may find attackers actually have an easier time gaining network access. Sure they will need a way to boost their own sending strength, but they’ll be able to pick up your signal for miles. Wireless network design needs to take into account not only the type of antenna used, but where it is placed and what is set up to contain or corral the signal. Additionally, don’t forget that the narrower the beam, the less space is available for clients to connect. Show me a highly directional parabolic antenna, and I’ll show you a lot of users who can’t connect to the network.
A is incorrect because antenna positioning is of great importance to your overall network security. The placement of antennas will dictate signal strength and direction for your clients. Not paying attention to signal spill—into parking lots or across to buildings you don’t own—is a recipe for disaster because you’re providing an easy means for an attacker to access your network.
B is incorrect because antennas don’t provide encryption by themselves. They are connected to devices that implement security, but the type of antenna used doesn’t dictate your encryption method (WEP or WAP2).
C is incorrect because the encoding method used—whether 802.11n or otherwise (for example, 802.11a)—has relatively nothing to do with keeping attackers out of your network.
8. An attacker is attempting to crack a WEP code to gain access to the network. After enabling monitor mode on wlan0 and creating a monitoring interface (mon 0), she types this command:
What is she trying to accomplish?
A. Gain access to the WEP access code by examining the response to deauthentication packets, which contain the WEP code.
B. Use deauthentication packets to generate lots of network traffic.
C. Determine the BSSID of the access point.
D. Discover the cloaked SSID of the network.
B. Within 802.11 standards, there are several different management-type frames in use: everything from a beacon and association request to something called (and I’m not making this up) a “probe request.” One of these management frames is a deauthentication packet, which basically shuts off a client from the network. The client then has to reconnect—and will do so quickly. The idea behind this kind of activity is to generate lots of traffic to capture in order to discern the WEP access code (from clients trying to re-associate to all the new ARP packets that will come flying around, since many machines will dump their ARP cache after being shut off the network). Remember the Initialization Vectors within WEP are relatively short (24 bits) and are reused frequently, so any attempt to crack the code requires, in general, around 15,000 or so packets. You can certainly gather these over time, but generating traffic can accomplish it much faster. One final note on this must be brought up: This type of attack can just as easily result in a denial of service against hosts and the AP in question, so be careful.
A is incorrect because the response to a deauth packet does not contain the WEP access code in the clear. If it did, we wouldn’t need to bother with all this traffic generation in the first place—one simple packet would do to crack all security.
C is incorrect because the BSSID (Basic Service Set Identifier) is the MAC address of the AP. It’s usually easy enough to gain from any number of methods (using airodump, for instance) and isn’t a reason for sending multiple deauth packets. There are networks where the BSSID is hidden (referred to as cloaking), but other tools (airmon and airodump) can help with that.
D is incorrect because even if an SSID is “cloaked,” that doesn’t mean it’s actually hidden: All it means is that it is not broadcast. The SSID is still contained in every single packet sent from the AP, and discovering it is easy enough.
9. Which wireless standard is designed to work at 54 Mbps on a frequency range of 2.4GHz?
A. 802.11a
B. 802.11b
C. 802.11g
D. 802.11n
C. The 802.11 series of standards identifies all sorts of wireless goodies, such as the order imposed on how clients communicate, rules for authentication, data transfer, size of packets, how the messages are encoded into the signal, and so on. 802.11g combines the advantages of both the “a” and “b” standards without as many of the drawbacks. It’s fast (at 54 Mbps), backward compatible with 802.11b clients, and doesn’t suffer from the coverage area restrictions 802.11a has to contend with. Considering it operates in the 2.4GHz range, however, there may be some interference issues to deal with. Not only are a plethora of competing networks blasting their signals (sometimes on the same channel) near and around your network, but you’ve also got to take into account Bluetooth devices, cordless phones, and even baby monitors that may cause disruption (due to interference) of wireless signals. And microwave ovens happen to run at 2.45 GHz—right smack dab in the middle of the range.
A is incorrect because 802.11a operates at 54 Mbps, but uses the 5 GHz frequency range. The big drawback to 802.11a was the frequency range itself—due to the higher frequency, network range was limited. Whereas 802.11b clients could be spread cross a relative large distance, 802.11a clients could communicate much faster, but had to be closer together. Combined with the increased cost of equipment, this contributed to 802.11a not being fully accepted as a de facto standard. That said, for security purposes it may not be a bad choice: Not as many people use it, or even look for it, and its smaller range may work to assist you in preventing spillage outside your building.
B is incorrect because 802.11b operates at 11 Mbps on the 2.4GHz frequency range. It’s slower than “a” or “g,” but soon after its release it became the de facto standard for wireless. Price and network range contributed to this.
D is incorrect because 802.11n works at 100 Mbps (+) in frequency ranges from 2.4GHz to 5 GHz. It achieves this rate using MIMO (multiple in, multiple out) antennas.
10. Which of the following describes sending unsolicited messages to a Bluetooth device?
A. BlueSmacking
B. Bluejacking
C. BlueSniffing
D. BlueSnarfing
B. Bluejacking is a relatively simple attack—even if it usually just annoys the person it’s aimed at. In Bluejacking, the attacker gets close enough that the Bluetooth device being targeted in is range (usually around 30 feet) and just sends messages to the target. In many cases this is just an annoyance—much like spam in your e-mail box. However, it can be used to trick a target (almost like a social engineering attack) into performing actions that do put security at risk.
A is incorrect because BlueSmacking is a denial of service attack on a Bluetooth device. It has been described as a “ping of death for Bluetooth” and makes use of the same echo response time type of features ICMP provides within a wired network. The Linux Bluez packages (www.bluez.org) can carry this attack out.
C is incorrect because BlueSniffing is, amazingly enough, and attack where the device’s transmissions are sniffed for useful information.
D is incorrect because BlueSnarfing refers to the actual theft of data directly from the device. This takes advantage of the “pairing” feature of most Bluetooth devices, willingly seeking out other devices to link up with.
11. Which of the tools listed here is a passive discovery tool?
A. Aircrack
B. Kismet
C. NetStumbler
D. Netsniff
B. A question like this one can be a little tricky, depending on its wording; however, per the EC Council, Kismet works as a true passive network discovery tool, with no packet interjection whatsoever. The following is from www.kismetwireless.net: “Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also supports plugins which allow sniffing other media.” You might also see two other interesting notables about Kismet on your exam: First, it works by “channel hopping,” to discover as many networks as possible. Second, it has the ability to sniff packets and save them to a log file, readable by Wireshark or TCPDump.
A is incorrect because aircrack is “an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack” (www.aircrack-ng.org).
C is incorrect because NetStumbler is considered an active network discovery application. NetStumbler is among the most popular wireless tools you might see in anyone’s arsenal.
D is incorrect because Netsniff is included as a distractor and is not a valid tool.
12. You have discovered an access point using WEP for encryption purposes. Which of the following is the best choice for uncovering the network key?
A. NetStumbler
B. Aircrack
C. John the Ripper
D. Kismet
B. Aircrack is a very fast tool for cracking WEP. You’ll need to gather a lot of packets (assuming you’ve collected at least 50,000 packets or so, it’ll work swimmingly fast) using another toolset, but once you have them together aircrack does a wonderful job cracking the key. One method aircrack uses that you may see referenced on the exam is KoreK implementation, which basically involves slicing bits out of packets and replacing them with guesses—the more this is done, the better the guessing and, eventually, the faster the key is recovered. Other tools for cracking WEP include Cain (which can also use KoreK), KisMac, WEPCrack, and Elcomsoft’s Wireless Security Auditor tool.
A is incorrect because NetStumbler is a network discovery tool. It can also be used to identify rogue access points and interference, and is also useful in measuring signal strength (for aiming antennas and such).
C is incorrect because John the Ripper is a Linux-based password-cracking tool, not a wireless key discovery one.
D is incorrect because Kismet is a passive network discovery (and other auditing) tool, but does not perform key cracking.
13. Which of the following statements are true regarding TKIP? (Choose all that apply.)
A. Temporal Key Integrity Protocol forces a key change every 10,000 packets.
B. Temporal Key Integrity Protocol ensures keys do not change during a session.
C. Temporal Key Integrity Protocol is an integral part of WEP.
D. Temporal Key Integrity Protocol is an integral part of WPA.
A and D. TKIP is a significant step forward in wireless security. Instead of sticking with one key throughout a session with a client and reusing it, as occurred in WEP, Temporal Key Integrity Protocol changes the key out every 10,000 packets or so. Additionally, the keys are transferred back and forth during an EAP (Extensible Authentication Protocol) authentication session, which makes use of a four-step handshake process in proving the client belongs to the AP, and vice versa. TKIP came about in WPA.
B and C are simply incorrect statements. TKIP does not maintain a single key, it changes it frequently, and it is part of WPA (and WPA2), not WEP.
14. Regarding SSIDs, which of the following are true statements? (Choose all that apply.)
A. SSIDs are always 32 characters in length.
B. SSIDs can be up to 32 characters in length.
C. Turning off broadcasting prevents discovery of the SSID.
D. SSIDs are a part of every packet header from the AP.
E. SSIDs provide important security for the network.
F. Multiple SSIDs are needed to move between APs within an ESS.
B and D. Service Set Identifiers only have one real function in life, so far as you’re concerned on this exam: identification. They are not a security feature in any way, shape, or form, and are designed solely to identify one access point’s network from another’s. SSIDs can be up to 32 characters in length, but don’t have to be that long (in fact, you’ll probably discover most of them are not).
A is incorrect because SSIDs do not have to be 32 characters in length. They can be, but they do not have to fill 32 characters of space.
C is incorrect because “cloaking” the SSID really doesn’t do much at all. It’s still a part of every packet header, so discovery is relatively easy.
E is incorrect because SSIDs are not considered a security feature for wireless networks.
F is incorrect because an Extended Service Set (ESS, an enterprise-wide wireless network consisting of multiple APs) only requires a single SSID that all APs work with.
15. You are discussing WEP cracking with a junior pen test team member. Which of the following are true statements regarding the Initialization Vectors? (Choose all that apply.)
A. IVs are 32 bits in length.
B. IVs are 24 bits in length.
C. IVs get reused frequently.
D. IVs are sent in clear text.
E. IVs are encrypted during transmission.
F. IVs are used once per encryption session.
B, C, and D. Weak Initialization Vectors and poor encryption are part of the reason WEP implementation is not encouraged as a true security measure on wireless networks. And, let’s be fair here, it was never truly designed to be: hence it being named Wired Equivalent Privacy instead of Wireless Encryption Protocol (as some have erroneously tried to name it). IVs are 24 bits in length, are sent in clear text and are reused a lot. Capture enough packets, and you can easily crack the code.
A, E, and F are incorrect statements. IVs are not 32 bits in length, are not encrypted themselves, and are definitely not used once per session (that would be even worse than being reused).
16. A pen test member has configured a wireless access point with the same SSID as the target organization’s SSID and has set it up inside a closet in the building. After some time, clients begin connecting to his access point. Which of the following statements are true regarding this attack? (Choose all that apply.)
A. The rogue access point may be discovered by security personnel using NetStumbler.
B. The rogue access point may be discovered by security personnel using NetSurveyor.
C. The rogue access point may be discovered by security personnel using Kismet.
D. The rogue access point may be discovered by security personnel using aircrack.
E. The rogue access point may be discovered by security personnel using ToneLoc.
A, B, and C. Rogue access points (sometimes called evil twin attacks) can provide a very easy way to gain useful information from clueless users on a target network. However, be forewarned, security personnel can use multiple tools and techniques to discover rogue APs. NetStumbler is one of the more popular, and useful, tools available. It’s a great network discovery tool that can also be used to identify rogue access points, network interference, and signal strength. Kismet, another very popular tool, provides many of the same features and is noted as a “passive” network discovery tool. NetSurveyor is a free, easy-to-use Windows-based tool that provides many of the same features as NetStumbler and Kismet, and works with virtually every wireless NIC in modern existence. A “professional” version of NetSurveyor is now available (you get 10 uses of it before you’re required to buy a license). Lastly, identification of a rogue access point requires the security staff to have knowledge of every access point owned—and its MAC. If it’s known there are 10 APs in the network and suddenly an 11th appears, that alone won’t help find and disable the bad one. It takes some level of organization to find these things, and that plays into your hands as an ethical hacker. The longer your evil twin is left sitting there, the better chance it will be found, so keep it short and sweet.
D is incorrect because aircrack is used to crack network encryption codes, not to identify rogue access points.
E is incorrect because ToneLoc is a tool used for war dialing (identifying open modems within a block of phone numbers). As an aside, this was also the moniker for a 90s one-hit-wonder “rap” artist, although I can promise that won’t be on your exam.
17. A pen test member is running the airsnarf tool from a Linux laptop. What is she attempting to do?
A. MAC flooding against an AP on the network
B. Denial of service attacks against APs on the network
C. Cracking network encryption codes from the WEP AP
D. Stealing usernames and passwords from an AP
D. Identifying tools and what they do is a big part of the exam—which is easy enough because it’s pure memorization, and this is a prime example. Per the website (http://airsnarf.shmoo.com/), “Airsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public wireless hotspots. Airsnarf was developed and released to demonstrate an inherent vulnerability of public 802.11b hotspots—snarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing AP.” It basically turns your laptop into a competing AP in the local area and confuses client requests to send your way.
A is incorrect because airsnarf does not provide MAC flooding. You may want to MAC flood a network switch for easier sniffing, but that doesn’t work the same way for an access point on a wireless network.
B is incorrect because airsnarf is not a DoS tool. You can make an argument the clients themselves are denied service while they’re erroneously communicating with the airsnarf laptop, but it’s not the intent of the application to DoS the network. Quite the opposite: The longer things stay up and running, the more usernames and passwords that can be gathered.
C is incorrect because airsnarf is not an encryption-cracking tool. It reads a lot like “aircrack,” so don’t get confused (these will be used as distractors against one another on your exam).
18. What frequency does Bluetooth operate in?
A. 2.4–2.48 Ghz
B. 2.5 GHz
C. 2.5–5 GHz
D. 5 GHz
A. Yes, you may actually get a question this “down in the weeds” regarding Bluetooth. As an additional study note, you will commonly see a reference to Bluetooth working at 2.45 GHz (it’s in the range). Bluetooth is designed to work at around 10 meters of range and can attach up to eight devices simultaneously. It makes use of something call spread-spectrum frequency hopping, which significantly reduces the chance that more than one device will use the same frequency in communicating.
B, C, and D are incorrect frequency ranges for Bluetooth.
19. Which of the following is true regarding wireless network architecture?
A. The service area provided by a single AP is known as an ESS.
B. The service area provided by a single AP is known as a BSSID.
C. The service area provided by multiple APs acting within the same network is known as an ESS.
D. The service area provided by multiple APs acting within the same network is known as an ESSID.
C. An Extended Service Set (ESS) is created by having multiple access points work within the same network SSID and encryption standard to provide extended, uninterrupted coverage for clients. So long as you have everything configured correctly (SSID, channels, and so on), as a client moves from one AP in your network to another they’ll disassociate from one AP and (re) associate with another seamlessly. This movement across multiple APs within a single ESS is known as roaming.
A is incorrect because a single AP’s coverage area is referred to as a Basic Service Set (BSS).
B is incorrect because the Basic Service Set Identification (BSSID) is the MAC address of the access point within the BSS.
D is incorrect because the Extended Service Set Identification (ESSID) is the SSID for an ESS (the up-to-32-bit code that identifies the network you’re on as you roam from AP to AP in the organization’s wireless network).
20. A pen tester boosts the signal reception capabilities of a laptop. She then drives from building to building in the target organization’s campus searching for wireless access points. What attack is she performing?
A. War chalking
B. War walking
C. War driving
D. War moving
C. This is one of those easy questions on the exam, because the term war driving is fairly well known. In war driving, an attacker boosts the reception capability of a laptop as best as possible and installs NetStumbler, Kismet, OmniPeek, NetSurveyor, or any of hundreds of network discovery tools. She then simply drives around, identifying which networks are available and where their signal is the strongest.
A is incorrect because war chalking is the act of drawing a symbol to indicate wireless hotspot locations. A war chalk is a symbol drawn somewhere in a public place indicating the presence of a wireless network. These can indicate free networks, hidden SSIDs, pay-for-use hotspots, and which encryption technique is in use.
B is incorrect because war walking, sometimes referred to as war jogging, is done on foot. In practice, it’s no different than war driving—only that the attacker is walking or jogging as opposed to driving a vehicle.
D is incorrect because war moving, to my knowledge, is not a wireless network discovery term, and is included purely as a distractor.
21. You are examining the physical configuration of a target’s wireless network. You notice on the site survey that omnidirectional antenna access points are located in the corners of the building. Which of the following statements are true regarding this configuration? (Choose all that apply.)
A. The site may be vulnerable to sniffing from locations outside the building.
B. The site is not vulnerable to sniffing from locations outside the building.
C. The use of dipole antennas may improve the security of the site.
D. The use of directional antennas may improve the security of the site.
A and D. There are a couple of problems with an omnidirectional (dipole) antenna. The first is coverage area itself. Because it’s omnidirectional, it’s sending (and looking for) signals in all directions. Therefore, if the AP is placed in the corner of the building, roughly three-quarters of the coverage space is wasted. Unless, of course, you’re an attacker sitting in a car outside, drinking coffee and happily surfing away on the free wireless the company has so carelessly provided to the parking lot. The second problem is the power consumption needed for this coverage. Because it’s designed to send in all directions, the coverage area is reduced, and users on the edges will definitely notice it. Think about it—if your AP is in the corner and three-quarters of its coverage is outside the building, that’s three-quarters of the power of the device wasted. If you were to concentrate that power—by focusing the signal with a directional antenna—just think of the range and speed of access you could provide your clients.
Allow me to make one last thought here and I promise I’ll stop talking about antennas: It is a far greater use of time and resources for an organization to securely implement networking in the first place than it is to worry about antenna types and placement. Your security staff isn’t saving money by following some ridiculous bean-counting analysis that results in buying a $100 antenna versus paying for a $200-an-hour security analyst—especially if you wind up getting hacked by some guy in a van using a +40db dish to sniff traffic you failed to protect.
B and C are incorrect statements regarding this architecture. Because the antenna is omnidirectional, the signals will spill out around the building if the AP is put in the corner. Therefore, the site is susceptible to unauthorized clients accessing the signal from outside. Additionally, a dipole antenna is, by its very design and nature, omnidirectional.
22. Which of the following is a true statement regarding wireless security?
A. WPA2 is a better encryption choice than WEP.
B. WEP is a better encryption choice than WPA2.
C. Cloaking the SSID and implementing MAC filtering eliminates the need for encryption.
D. Increasing the length of the SSID to its maximum increases security for the system.
A. WPA2 is, by far, a better security choice for your system. It makes use of TKIP, to change out the keys every 10,000 packets instead of using one for the entire session (as in WEP). Additionally, WPA2 uses AES for encryption and a 128-bit encryption key, as opposed to RC4 and 24-bit IVs in WEP.
B is incorrect because WEP only provides the equivalent privacy of being on a wired network. Its “encryption” is ridiculously easy to crack and is not considered a valid security measure. It’s perfectly reasonable to use it if your goal is just to frustrate causal surfers from connecting to your network (such as your neighbors), but it’s not a valid encryption method.
C is incorrect because these two options do nothing to protect the actual data being transmitted. SSID cloaking is somewhat pointless, given that SSIDs are included in every header of every packet (not to mention that SSIDs aren’t designed for security). MAC filtering will frustrate casual observers; however, spoofing a MAC address on the network is relatively easy and eliminates this as a foolproof security method.
D is incorrect because the length of an SSID has nothing whatsoever to do with security and encryption. Increasing the length of the SSID does not increase network security.
23. A pen test colleague is attempting to use a wireless connection inside the target’s building. On his Linux laptop he types the following commands:
What is the most likely reason for this action?
A. Port security is enabled on the access point.
B. The SSID is cloaked from the access point.
C. MAC filtering is enabled on the access point.
D. Weak signaling is frustrating connectivity to the access point.
C. The sequence of the preceding commands has the attacker bringing the wireless interface down, changing its hardware address, then bringing it back up. The most likely reason for this is MAC filtering is enabled on the AP, which is restricting access to only those machines the administrator wants connecting to the wireless network. The easy way around this is to watch traffic and copy one of the MAC addresses. A quick spoof on your own hardware and—voilà —you’re connected.
A is incorrect because port security isn’t an option on wireless access points. Were this attacker connecting to a switch, this might be valid, but not on a wireless connection.
B is incorrect because SSID cloaking has nothing to do with this scenario. The commands are adjusting a MAC address.
D is incorrect because weak signal strength has nothing to do with this scenario. The commands are adjusting a MAC address.
24. An individual attempts to make a call using his cell phone; however, it seems unresponsive. After a few minutes effort, he turns it off and turns it on again. During his next phone call, the phone disconnects and becomes unresponsive again. Which Bluetooth attack is underway?
A. BlueSmacking
B. Bluejacking
C. BlueSniffing
D. BlueSnarfing
A. From the description, it appears the phone is either defective or—since it’s spelled out so nicely in the question for you—there is a denial of service attack against the phone. As stated earlier, BlueSmacking is a denial of service attack on a Bluetooth device. An attacker somewhere nearby (within 10 meters or, for the real bad guys, farther away using a big enough transmitter, amplifier, and antenna) is using something like the Linux Bluez packages (www.bluez.org) to carry out a DoS against the phone.
B is incorrect because Bluejacking involves sending unsolicited messages—much like SPAM—to a Bluetooth device.
C is incorrect because BlueSniffing is a basic sniffing attempt, where the device’s transmissions are sniffed for useful information.
D is incorrect because BlueSnarfing refers to the actual theft of data directly from the device. This takes advantage of the “pairing” feature of most Bluetooth devices, willingly seeking out other devices to link up with.
25. Which wireless standard achieves high data rate speeds by implementing MIMO antenna technology?
A. 802.11b
B. 802.11g
C. 802.11n
D. 802.16
C. 802.11n boasts speeds of over 100 Mbps, operating in a frequency range from 2.4 to 5 GHz. One method it uses to achieve this is known as MIMO (multiple in, multiple out). MIMO, not unlike other technologies you’re supposed to learn about, has tons of mind-numbing technical minutia to explore concerning how it works, but basically the thought behind it is to use multiple antennas, in somewhat of an array, to send and receive simultaneously. Also known as smart antennas, these greatly speed up wireless communications. Once the technology dropped to a more affordable range, it became more and more prevalent. Another note you may see referenced on this standard has to do with multiplexing used within the transmission: 802.11n uses something called Spatial Division Multiplexing (SDM).
A and B are incorrect because neither standard uses MIMO antennas.
D is incorrect because 802.16 is a set of IEEE standards for wireless within a metropolitan area network. Referred to as WiMax (Worldwide Interoperability for Microwave Access), 802.16 was written for the global development of broadband wireless metropolitan area networks. It provides speeds up to 40 Mbps and is moving toward Gb speed.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.