16 CEH: Hacking Wireless Networks

Which of the following is a wireless security layer where per frame/packet authentication provides protection against MITM attacks and prevents an attacker from sniffing data when two genuine users communicate with each other? 1. End-user protection 2. Connection security 3. Device security 4. Wireless signal security

2. Connection security

Which of the following tools helps attackers identify networks by passively collecting packets and detecting standard named networks, hidden networks, and the presence of non-beaconing networks via data traffic? 1. Netcraft 2. Kismet 3. Robber 4. L0phtCrack

2. Kismet

Which of the following techniques is used by network management software to detect rogue APs? 1. AP scanning 2. Wired side inputs 3. RF scanning 4. Virtual-private network

2. Wired side inputs

RADIUS is a centralized system for what two things?

1. Authentication 2. Authorization

What 4 techniques can be used by aircrack-ng when cracking WEP keys?

1. Dictionary 2. KoreK 3. Pyshkin, Tews, and Weinmann (PTW) 4. Fluhrer, Mantin, and Shamir (FMS)

What are the 4 steps to *cracking WPA-PSK using aircrack-ng*?

1. Monitor wireless traffic with *airmon-ng* 2. Collect wireless traffic data with *airodump-ng* 3. Deauth the client using *aireplay-ng*; the client will try to authenticate with the AP, which will lead to *airodump* capturing an authentication packet (WPA handshake) 4. Run the capture file through *aircrack-ng*

Which tool would be used to collect wireless packet data? 1. NetStumbler 2. Netcat 3. John the Ripper 4. Nessus

1. NetStumbler

What are the 4 steps of *launching a MITM attack using aircrack-ng*?

1. Run *airmon-ng* in monitor mode 2. Start *airodump* to discover SSIDs on interface 3. De-authenticate the client using *aireplay-ng* 4. Associate your wireless card with the AP you are accessing with *aireplay-ng*

What are the 5 steps of *cracking WEP using aircrack-ng*?

1. Run *airmon-ng* in monitor mode 2. Start *airodump-ng* to discover SSIDs on interface and keep it running; your capture file should contain more than 50,000 IVs to successfully crack the WEP key 3. Associate your wireless card with the target AP 4. Inject packets using *aireplay-ng* to generate traffic on the target AP 5. Wait for *airodump-ng* to capture more than 50,000 IVs; crack WEP key using *aircrack-ng*

What 4 *Wi-Fi packet sniffer* tools does the material recommend?

1. SteelCentral Packet Analyzer 2. Omnipeek Network Protocol Analyzer 3. CommView for Wi-Fi 4. Kismet

Which of the following does not provide cryptographic integrity protection? 1. WEP 2. WPA 3. TKIP 4. WPA2

1. WEP

What are the *6 phases of the wireless hacking methodology*?

1. Wi-Fi discovery 2. GPS mapping 3. Wireless traffic analysis 4. Launch of wireless attacks 5. Wi-Fi encryption cracking 6. Compromise the Wi-Fi network

What 2 *GPS mapping tools* does the material recommend?

1. WiGLE 2. Maptitude Mapping Software

Which of the following components of Cisco's WIPS deployment forwards attack information from wireless IPS monitor-mode APs to the MSE and distributes configuration parameters to APs? 1. Wireless LAN controller 2. Mobility services engine 3. Wireless control system 4. Local mode AP

1. Wireless LAN controller

What 3 *Wi-Fi discovery tools* does the material recommend?

1. inSSIDer Plus 2. NetSurveyor 3. Wi-Fi Scanner

What is the attack where an attacker erects a fake LTE tower to redirect connections?

Active aLTEr attack

What is an enhancement to 802.11a and 802.11b that enables global portability by allowing variations in frequencies, power levels, and bandwidth?

802.11d

What standard provides guidance for prioritization of data, voice, and video transmissions enabling quality of service?

802.11e

What is a standard for wireless local area networks (WLANs) that *provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards* and *defines WPA2-Enterprise/WPA2-Personal for Wi-Fi*?

802.11i

What is an attack where an attacker spoofs the MAC address of an authorized WLAN client to connect to the AP?

AP MAC spoofing attack

What technique is used by an *AP* to detect rogue APs?

AP scanning

What is an attack that aims to penetrate a network by *evading WLAN access control measures* such as AP MAC filters and Wi-Fi port access controls?

Access control attack

What is an attack in which an attacker uses any USB adapter or wireless card and connects a host to an unsecured client to attack a specific client or to avoid AP security?

Ad-hoc connection attack

What is the process of connecting a wireless device to an AP?

Association

What is an attack that attempts to steal the identify of Wi-Fi clients to gain unauthorized access to the network?

Authentication attack

What is an attack that aims at *obstructing the delivery of wireless services to legitimate users*, either by crippling those resources or by denying them access to WLAN resources?

Availability attack

What is the MAC address of an AP that has set up a Basic Service Set?

Basic Service Set Identifier (BSSID)

What is the art of *collecting information about Bluetooth-enabled devices* such as manufacturer, device model, and firmware version?

BluePrinting

What is the proof of concept code for a Bluetooth *wardriving* utility?

BlueSniff

What do you call *remotely accessing* a Bluetooth-enabled device and using its features?

Bluebugging

What do you call *sending unsolicited messages* over Bluetooth to Bluetooth-enabled devices?

Bluejacking

What is a denial-of-service attack which *overflows Bluetooth-enabled devices* with random packets?

Bluesmacking

What is the theft of information from a wireless device through a Bluetooth connection?

Bluesnarfing

What do you call intercepting data intended for Bluetooth-enabled devices?

Bluetooth MAC spoofing attack

What *Bluetooth hacking tool* does the material recommend?

BluetoothView

What is Bluetooth attack is used to *bypass security mechanisms* and listen to information being shared?

Btlejacking

What is an attack where an attacker uses an AP with an SSID of *McDonald's Wifi* or some other such SSID to tempt users to connect?

Honeypot AP attack

What is a method of encoding digital data on multiple carrier frequencies *at the same time*?

Orthogonal frequency-division multiplexing (OFDM)

What attack is similar to a *rogue AP attack*, except the rogue AP is set up *nearby but outside the target network*?

Client mis-association attack

What is an attack that attempts to *intercept confidential information sent over wireless associations*, regardless of whether they were sent in clear text or encrypted by Wi-Fi protocols?

Confidentiality attack

Name the following attack. 1. A client is authenticated and associated with an AP 2. An attacker sends a de-authenticate request packet to take a single client offline

De-authentication denial-of-service attack

What technique does aircrack-ng use to crack WPA and WPA-2 pre-shared keys (PSKs)?

Dictionary

What is a bidirectional antenna used to support client connections rather than site-to-site applications?

Dipole antenna

What is an original data signal multiplied with a pseudo-random noise spreading the code?

Direct-sequence spread spectrum (DSSS)

Name the following attack. 1. A client is authenticated and associated with an AP 2. An attacker sends a disassociate request packet to take the client offline

Disassociation denial of service attack

What is a protocol that encapsulates the EAP with an encrypted and authenticated TLS tunnel?

Protected Extensible Authentication Protocol (PEAP)

What is the *encryption algorithm*, *IV size*, *encryption key length*, *key management*, and *integrity check mechanism* of *WPA2*?

Encryption algorithm: AES-CCMP IV Size: 48-bits Encryption key length: 128-bits Key management: 4-way handshake Integrity check mechanism: CBC-MAC

What is the *encryption algorithm*, *IV size*, *encryption key length*, *key management*, and *integrity check mechanism* of *WPA3-Enterprise*?

Encryption algorithm: AES-GCMP-256 IV Size: Arbitrary length 1-(2^64) Encryption key length: 192-bits Key management: SAE, ECDH & ECDSA Integrity check mechanism: BIP-GMAC-256

What is the *encryption algorithm*, *IV size*, *encryption key length*, *key management*, and *integrity check mechanism* of *WEP*?

Encryption algorithm: RC4 IV Size: 23-bits Encryption key length: 40/104 bits Key management: None Integrity check mechanism: CRC-32

What is the *encryption algorithm*, *IV size*, *encryption key length*, *key management*, and *integrity check mechanism* of *WPA*?

Encryption algorithm: RC4, TKIP IV Size: 48-bits Encryption key length: 128-bits Key management: 4-way handshake Integrity check mechanism: Michael algorithm (MIC) & CRC-32

What is a tool for performing wireless man-in-the-middle attacks?

Ettercap

What tool can be used for *wireless ARP poisoning*?

Ettercap

The IEEE 802.1X standard defines a method that uses what protocol to establish port-based network access control (NAC)?

Extensible Authentication Protocol (EAP)

What is an authentication protocol that supports multiple authentication methods, such as token cards, Kerberos, and certificates?

Extensible Authentication Protocol (EAP)

What is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels?

Frequency-hopping spread spectrum (FHSS)

What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.15.4 (ZigBee)*?

Frequency: 0.868, 0.915, or 2.4 Ghz Modulation: O-QPSK, GFSK, BPSK Speed: 0.02, 0.04, 0.25 Mbps Range: 1-100 meters

What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.16 (WiMAX)*?

Frequency: 2-11 GHz Modulation: SOFDMA Speed: 34-100 Mbps Range: 1609.34 - 9656.06 meters (1-6 miles)

What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.11b*?

Frequency: 2.4 GHz Modulation: DSSS Speed: 1, 2, 5.5, 11 Mbps Range: 35-140 meters

What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.11*?

Frequency: 2.4 GHz Modulation: DSSS, FHSS Speed: 1.2 Mbps Range: 20-100 meters

What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.11g*?

Frequency: 2.4 GHz Modulation: OFDM Speed: 6, 9, 12, 18, 24, 36, 48, 54 Mbps Range: 38 - 140 meters

What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.15.1 (Bluetooth)*?

Frequency: 2.4 Ghz Modulation: GFSK, pi/4-DPSK, 8DPSK Speed: 25-50 Mbps Range: 10-240 meters

What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.11n*?

Frequency: 2.4 or 5 GHz Modulation: MIMO-OFDM Speed: 54-600 Mbps Range: 70-250 meters

What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.11a*?

Frequency: 3.7 or 5 GHz Modulation: OFDM Speed: 16, 9, 12, 18, 24, 26, 48, 54 Mbps Range: 35-100 or 5000 meters

What communication protocol is a variant of the Wi-Fi standard that provides an extended range, making it useful for communications in rural areas, and offers low data rates?

HaLow

Wireless networks are based on *what standard*?

IEEE 802.11

What is a set of frequencies for the international industrial, scientific, and medical communities?

ISM band

What the attack where the network administrator misconfigures the AP such that it doesn't require a password, allowing the attacker to easily enter the network

Misconfigured AP attack

What is an attack where an attacker *sends forged control, management, or data frames over a wireless network* to misdirect the wireless devices to perform another type of attack?

Integrity attack

Why is WEP vulnerable?

It uses a 24-bit initialization vector (IV), which can be easily cracked

What must be enabled on your Wi-Fi card to sniff wireless traffic?

Monitor mode

What is the attack where an attacker exploits a vulnerability in Bluetooth to *eavesdrop all the data* being shared?

KNOB attack

What is the replay attack that exploits WPA2's four-way handshake?

Key Reinstallation Attack (KRACK)

What Linux tool is used to detect 802.11a/b/g/n wireless networks and can sniff traffic?

Kismet

What attack allows an attacker to decrypt a WEP packet without requiring the WEP key?

KoreK Chopchop

What is a proprietary version of the Extensible Authentication Protocol (EAP) developed by Cisco?

Lightweight Extensible Authentication Protocol (LEAP)

What tool can be used for a *rogue AP attack*?

MANA Toolkit

What is an air interface for 4G and 5G broadband wireless?

Multiple input, multiple output orthogonal frequency-division multiplexing (MIMO-OFDM)

What Windows tool is used to detect 802.11a/b/g wireless networks?

Netstumbler

What protocol is used by *BlueJacking* to send anonymous messages to other Bluetooth-enabled devices?

OBEX

What type of antenna is used in wireless communication?

Omnidirectional

What type of antenna is useful for transmitting weak radio signals over very long distances--on the order of 10 miles?

Omnidirectional

What is the name of the authentication process where any wireless device can be authenticated with the AP, thus allowing the device to transmit data only when its WEP key matches to that of the AP?

Open system authentication process

What is an antenna that is based on the principle of a satellite dish but lacks a solid backing and can pick up Wi-Fi signals from ten miles or more?

Parabolic grid antenna

What is the attack where an attacker erects a fake LTE tower to match volatile radio identities to longer lasting ones, with the intent of identifying individual users on a given cell in a cellular network?

Passive aLTEr attack to perform identity mapping

What is the attack where an attacker erects a fake LTE tower use Layer 2 metadata information to determine which site a user visits?

Passive aLTEr attack to perform website fingerprinting

What default technique does aircrack-ng use when cracking WEP keys?

Pyshkin, Tews, and Weinmann (PTW)

What tool does the material recommend for performing *spectrum analysis*?

RF Explorer

What tool can be used to *crack WPS*?

Reaver

What is an antenna that is used to concentrate EM energy, which is radiated or received at a focal point?

Reflector antenna

Name the following attack. 1. An attacker places a rogue wireless AP somewhere within the target 802.11 network *with the same SSID as the legitimate AP* 2. When a user turns on their computer, the rogue wireless AP will offer to connect with the network user 3. All the traffic the user enters will pass through the rogue AP, thus enabling a form of *wireless packing sniffing*

Rogue AP attack

What is a unique identifier of 32 alphanumeric characters given to a wireless local area network (LAN)?

Service Set Identifier (SSID)

What is the authentication process where the station and AP use the same WEP key to provide authentication, which means that this key should be enabled and configured manually on both the AP and client?

Shared key authentication process

What technology is implemented in WPA3-Personal to replace the use of pre-shared keys in WPA2-Personal?

Simultaneous Authentication of Equals (SAE)

What is a variant of a selective forwarding attack where the attacker uses a malicious node and advertises this node as the shortest possible route to reach the base station?

Sinkhole attack

What is the purpose of the *dragon* set of tools?

To crack WPA3 encryption

True or false: In LAN-to-LAN Wireless Network, the APs provide wireless connectivity to local computers, and computers on different networks that can be interconnected.

True

True or false: WEP, WPA, WPA2, and WPA3 all have security flaws.

True

What is an integration of EAP standards with WPA2 encryption?

WPA2 Enterprise

What is an attack where an attacker infects a victim's machine and activates a soft AP, allowing them *unauthorized connection* to the wireless network?

Unauthorized association attack

What wireless security protocol is defined by the *802.11b standard*?

WEP

What wireless security protocol is designed to provide a wireless LAN with a level of security and privacy comparable to that of a wired LAN?

WEP

What is a Wi-Fi security protocol using TKIP and MIC to provide encryption and authentication?

WPA

What is a Wi-Fi security protocol that uses 128-bit AES AND CCMP for wireless data encryption?

WPA2

What wireless security protocol is defined by the *802.11i standard*?

WPA2

What is a Wi-Fi security protocol that uses GCMP-256 for encryption and HMAC-SHA-384 for authentication?

WPA3

What tool does the material recommend for *detecting WPS-enabled APs*?

Wash

What *Wi-Fi hotspot finder tool* does the material recommend?

Wi-Fi Finder

What *mobile Wi-Fi discovery tool* does the material recommend?

WiFi Analyzer

What *war driving* tool does the material recommend?

WiGLE

What is an attack that can obtain 1500 bytes of the pseudo random generation algorithm, which can be used with *packetforge-ng* to perform various injection attacks?

Wireless fragmentation attack

What is an attack where an attacker locates himself within the target network and exploits dynamic routing protocols such as DSR and AODV to create a tunnel to forward data between source and destination nodes, giving them the ability to sniff traffic?

Wormhole attack

What is a unidirectional antenna commonly used in communications for a frequency band of 10 MHz to VHF and UHF?

Yagi antenna

What *aircrack-ng* script is used for cracking credentials found in captured traffic?

aircrack-ng

What *aircrack-ng* script is used for *generating traffic* that can aid in the cracking process?

aireplay-ng

What *aircrack-ng* script enables you to enter *monitor mode* on your wireless card?

airmon-ng

What *aircrack-ng* script is used for *capturing 802.11 packets*?

airodump-ng

What *btlejack* command allows an attacker to *sniff new Bluetooth low-energy connections*?

btlejack -c any