16 CEH: Hacking Wireless Networks
Which of the following is a wireless security layer where per frame/packet authentication provides protection against MITM attacks and prevents an attacker from sniffing data when two genuine users communicate with each other? 1. End-user protection 2. Connection security 3. Device security 4. Wireless signal security
2. Connection security
Which of the following tools helps attackers identify networks by passively collecting packets and detecting standard named networks, hidden networks, and the presence of non-beaconing networks via data traffic? 1. Netcraft 2. Kismet 3. Robber 4. L0phtCrack
2. Kismet
Which of the following techniques is used by network management software to detect rogue APs? 1. AP scanning 2. Wired side inputs 3. RF scanning 4. Virtual-private network
2. Wired side inputs
RADIUS is a centralized system for what two things?
1. Authentication 2. Authorization
What 4 techniques can be used by aircrack-ng when cracking WEP keys?
1. Dictionary 2. KoreK 3. Pyshkin, Tews, and Weinmann (PTW) 4. Fluhrer, Mantin, and Shamir (FMS)
What are the 4 steps to *cracking WPA-PSK using aircrack-ng*?
1. Monitor wireless traffic with *airmon-ng* 2. Collect wireless traffic data with *airodump-ng* 3. Deauth the client using *aireplay-ng*; the client will try to authenticate with the AP, which will lead to *airodump* capturing an authentication packet (WPA handshake) 4. Run the capture file through *aircrack-ng*
Which tool would be used to collect wireless packet data? 1. NetStumbler 2. Netcat 3. John the Ripper 4. Nessus
1. NetStumbler
What are the 4 steps of *launching a MITM attack using aircrack-ng*?
1. Run *airmon-ng* in monitor mode 2. Start *airodump* to discover SSIDs on interface 3. De-authenticate the client using *aireplay-ng* 4. Associate your wireless card with the AP you are accessing with *aireplay-ng*
What are the 5 steps of *cracking WEP using aircrack-ng*?
1. Run *airmon-ng* in monitor mode 2. Start *airodump-ng* to discover SSIDs on interface and keep it running; your capture file should contain more than 50,000 IVs to successfully crack the WEP key 3. Associate your wireless card with the target AP 4. Inject packets using *aireplay-ng* to generate traffic on the target AP 5. Wait for *airodump-ng* to capture more than 50,000 IVs; crack WEP key using *aircrack-ng*
What 4 *Wi-Fi packet sniffer* tools does the material recommend?
1. SteelCentral Packet Analyzer 2. Omnipeek Network Protocol Analyzer 3. CommView for Wi-Fi 4. Kismet
Which of the following does not provide cryptographic integrity protection? 1. WEP 2. WPA 3. TKIP 4. WPA2
1. WEP
What are the *6 phases of the wireless hacking methodology*?
1. Wi-Fi discovery 2. GPS mapping 3. Wireless traffic analysis 4. Launch of wireless attacks 5. Wi-Fi encryption cracking 6. Compromise the Wi-Fi network
What 2 *GPS mapping tools* does the material recommend?
1. WiGLE 2. Maptitude Mapping Software
Which of the following components of Cisco's WIPS deployment forwards attack information from wireless IPS monitor-mode APs to the MSE and distributes configuration parameters to APs? 1. Wireless LAN controller 2. Mobility services engine 3. Wireless control system 4. Local mode AP
1. Wireless LAN controller
What 3 *Wi-Fi discovery tools* does the material recommend?
1. inSSIDer Plus 2. NetSurveyor 3. Wi-Fi Scanner
What is the attack where an attacker erects a fake LTE tower to redirect connections?
Active aLTEr attack
What is an enhancement to 802.11a and 802.11b that enables global portability by allowing variations in frequencies, power levels, and bandwidth?
802.11d
What standard provides guidance for prioritization of data, voice, and video transmissions enabling quality of service?
802.11e
What is a standard for wireless local area networks (WLANs) that *provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards* and *defines WPA2-Enterprise/WPA2-Personal for Wi-Fi*?
802.11i
What is an attack where an attacker spoofs the MAC address of an authorized WLAN client to connect to the AP?
AP MAC spoofing attack
What technique is used by an *AP* to detect rogue APs?
AP scanning
What is an attack that aims to penetrate a network by *evading WLAN access control measures* such as AP MAC filters and Wi-Fi port access controls?
Access control attack
What is an attack in which an attacker uses any USB adapter or wireless card and connects a host to an unsecured client to attack a specific client or to avoid AP security?
Ad-hoc connection attack
What is the process of connecting a wireless device to an AP?
Association
What is an attack that attempts to steal the identify of Wi-Fi clients to gain unauthorized access to the network?
Authentication attack
What is an attack that aims at *obstructing the delivery of wireless services to legitimate users*, either by crippling those resources or by denying them access to WLAN resources?
Availability attack
What is the MAC address of an AP that has set up a Basic Service Set?
Basic Service Set Identifier (BSSID)
What is the art of *collecting information about Bluetooth-enabled devices* such as manufacturer, device model, and firmware version?
BluePrinting
What is the proof of concept code for a Bluetooth *wardriving* utility?
BlueSniff
What do you call *remotely accessing* a Bluetooth-enabled device and using its features?
Bluebugging
What do you call *sending unsolicited messages* over Bluetooth to Bluetooth-enabled devices?
Bluejacking
What is a denial-of-service attack which *overflows Bluetooth-enabled devices* with random packets?
Bluesmacking
What is the theft of information from a wireless device through a Bluetooth connection?
Bluesnarfing
What do you call intercepting data intended for Bluetooth-enabled devices?
Bluetooth MAC spoofing attack
What *Bluetooth hacking tool* does the material recommend?
BluetoothView
What is Bluetooth attack is used to *bypass security mechanisms* and listen to information being shared?
Btlejacking
What is an attack where an attacker uses an AP with an SSID of *McDonald's Wifi* or some other such SSID to tempt users to connect?
Honeypot AP attack
What is a method of encoding digital data on multiple carrier frequencies *at the same time*?
Orthogonal frequency-division multiplexing (OFDM)
What attack is similar to a *rogue AP attack*, except the rogue AP is set up *nearby but outside the target network*?
Client mis-association attack
What is an attack that attempts to *intercept confidential information sent over wireless associations*, regardless of whether they were sent in clear text or encrypted by Wi-Fi protocols?
Confidentiality attack
Name the following attack. 1. A client is authenticated and associated with an AP 2. An attacker sends a de-authenticate request packet to take a single client offline
De-authentication denial-of-service attack
What technique does aircrack-ng use to crack WPA and WPA-2 pre-shared keys (PSKs)?
Dictionary
What is a bidirectional antenna used to support client connections rather than site-to-site applications?
Dipole antenna
What is an original data signal multiplied with a pseudo-random noise spreading the code?
Direct-sequence spread spectrum (DSSS)
Name the following attack. 1. A client is authenticated and associated with an AP 2. An attacker sends a disassociate request packet to take the client offline
Disassociation denial of service attack
What is a protocol that encapsulates the EAP with an encrypted and authenticated TLS tunnel?
Protected Extensible Authentication Protocol (PEAP)
What is the *encryption algorithm*, *IV size*, *encryption key length*, *key management*, and *integrity check mechanism* of *WPA2*?
Encryption algorithm: AES-CCMP IV Size: 48-bits Encryption key length: 128-bits Key management: 4-way handshake Integrity check mechanism: CBC-MAC
What is the *encryption algorithm*, *IV size*, *encryption key length*, *key management*, and *integrity check mechanism* of *WPA3-Enterprise*?
Encryption algorithm: AES-GCMP-256 IV Size: Arbitrary length 1-(2^64) Encryption key length: 192-bits Key management: SAE, ECDH & ECDSA Integrity check mechanism: BIP-GMAC-256
What is the *encryption algorithm*, *IV size*, *encryption key length*, *key management*, and *integrity check mechanism* of *WEP*?
Encryption algorithm: RC4 IV Size: 23-bits Encryption key length: 40/104 bits Key management: None Integrity check mechanism: CRC-32
What is the *encryption algorithm*, *IV size*, *encryption key length*, *key management*, and *integrity check mechanism* of *WPA*?
Encryption algorithm: RC4, TKIP IV Size: 48-bits Encryption key length: 128-bits Key management: 4-way handshake Integrity check mechanism: Michael algorithm (MIC) & CRC-32
What is a tool for performing wireless man-in-the-middle attacks?
Ettercap
What tool can be used for *wireless ARP poisoning*?
Ettercap
The IEEE 802.1X standard defines a method that uses what protocol to establish port-based network access control (NAC)?
Extensible Authentication Protocol (EAP)
What is an authentication protocol that supports multiple authentication methods, such as token cards, Kerberos, and certificates?
Extensible Authentication Protocol (EAP)
What is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels?
Frequency-hopping spread spectrum (FHSS)
What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.15.4 (ZigBee)*?
Frequency: 0.868, 0.915, or 2.4 Ghz Modulation: O-QPSK, GFSK, BPSK Speed: 0.02, 0.04, 0.25 Mbps Range: 1-100 meters
What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.16 (WiMAX)*?
Frequency: 2-11 GHz Modulation: SOFDMA Speed: 34-100 Mbps Range: 1609.34 - 9656.06 meters (1-6 miles)
What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.11b*?
Frequency: 2.4 GHz Modulation: DSSS Speed: 1, 2, 5.5, 11 Mbps Range: 35-140 meters
What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.11*?
Frequency: 2.4 GHz Modulation: DSSS, FHSS Speed: 1.2 Mbps Range: 20-100 meters
What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.11g*?
Frequency: 2.4 GHz Modulation: OFDM Speed: 6, 9, 12, 18, 24, 36, 48, 54 Mbps Range: 38 - 140 meters
What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.15.1 (Bluetooth)*?
Frequency: 2.4 Ghz Modulation: GFSK, pi/4-DPSK, 8DPSK Speed: 25-50 Mbps Range: 10-240 meters
What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.11n*?
Frequency: 2.4 or 5 GHz Modulation: MIMO-OFDM Speed: 54-600 Mbps Range: 70-250 meters
What is the *frequency (GHz)*, *modulation*, *speed (Mbps)*, and *range (meters)* of *802.11a*?
Frequency: 3.7 or 5 GHz Modulation: OFDM Speed: 16, 9, 12, 18, 24, 26, 48, 54 Mbps Range: 35-100 or 5000 meters
What communication protocol is a variant of the Wi-Fi standard that provides an extended range, making it useful for communications in rural areas, and offers low data rates?
HaLow
Wireless networks are based on *what standard*?
IEEE 802.11
What is a set of frequencies for the international industrial, scientific, and medical communities?
ISM band
What the attack where the network administrator misconfigures the AP such that it doesn't require a password, allowing the attacker to easily enter the network
Misconfigured AP attack
What is an attack where an attacker *sends forged control, management, or data frames over a wireless network* to misdirect the wireless devices to perform another type of attack?
Integrity attack
Why is WEP vulnerable?
It uses a 24-bit initialization vector (IV), which can be easily cracked
What must be enabled on your Wi-Fi card to sniff wireless traffic?
Monitor mode
What is the attack where an attacker exploits a vulnerability in Bluetooth to *eavesdrop all the data* being shared?
KNOB attack
What is the replay attack that exploits WPA2's four-way handshake?
Key Reinstallation Attack (KRACK)
What Linux tool is used to detect 802.11a/b/g/n wireless networks and can sniff traffic?
Kismet
What attack allows an attacker to decrypt a WEP packet without requiring the WEP key?
KoreK Chopchop
What is a proprietary version of the Extensible Authentication Protocol (EAP) developed by Cisco?
Lightweight Extensible Authentication Protocol (LEAP)
What tool can be used for a *rogue AP attack*?
MANA Toolkit
What is an air interface for 4G and 5G broadband wireless?
Multiple input, multiple output orthogonal frequency-division multiplexing (MIMO-OFDM)
What Windows tool is used to detect 802.11a/b/g wireless networks?
Netstumbler
What protocol is used by *BlueJacking* to send anonymous messages to other Bluetooth-enabled devices?
OBEX
What type of antenna is used in wireless communication?
Omnidirectional
What type of antenna is useful for transmitting weak radio signals over very long distances--on the order of 10 miles?
Omnidirectional
What is the name of the authentication process where any wireless device can be authenticated with the AP, thus allowing the device to transmit data only when its WEP key matches to that of the AP?
Open system authentication process
What is an antenna that is based on the principle of a satellite dish but lacks a solid backing and can pick up Wi-Fi signals from ten miles or more?
Parabolic grid antenna
What is the attack where an attacker erects a fake LTE tower to match volatile radio identities to longer lasting ones, with the intent of identifying individual users on a given cell in a cellular network?
Passive aLTEr attack to perform identity mapping
What is the attack where an attacker erects a fake LTE tower use Layer 2 metadata information to determine which site a user visits?
Passive aLTEr attack to perform website fingerprinting
What default technique does aircrack-ng use when cracking WEP keys?
Pyshkin, Tews, and Weinmann (PTW)
What tool does the material recommend for performing *spectrum analysis*?
RF Explorer
What tool can be used to *crack WPS*?
Reaver
What is an antenna that is used to concentrate EM energy, which is radiated or received at a focal point?
Reflector antenna
Name the following attack. 1. An attacker places a rogue wireless AP somewhere within the target 802.11 network *with the same SSID as the legitimate AP* 2. When a user turns on their computer, the rogue wireless AP will offer to connect with the network user 3. All the traffic the user enters will pass through the rogue AP, thus enabling a form of *wireless packing sniffing*
Rogue AP attack
What is a unique identifier of 32 alphanumeric characters given to a wireless local area network (LAN)?
Service Set Identifier (SSID)
What is the authentication process where the station and AP use the same WEP key to provide authentication, which means that this key should be enabled and configured manually on both the AP and client?
Shared key authentication process
What technology is implemented in WPA3-Personal to replace the use of pre-shared keys in WPA2-Personal?
Simultaneous Authentication of Equals (SAE)
What is a variant of a selective forwarding attack where the attacker uses a malicious node and advertises this node as the shortest possible route to reach the base station?
Sinkhole attack
What is the purpose of the *dragon* set of tools?
To crack WPA3 encryption
True or false: In LAN-to-LAN Wireless Network, the APs provide wireless connectivity to local computers, and computers on different networks that can be interconnected.
True
True or false: WEP, WPA, WPA2, and WPA3 all have security flaws.
True
What is an integration of EAP standards with WPA2 encryption?
WPA2 Enterprise
What is an attack where an attacker infects a victim's machine and activates a soft AP, allowing them *unauthorized connection* to the wireless network?
Unauthorized association attack
What wireless security protocol is defined by the *802.11b standard*?
WEP
What wireless security protocol is designed to provide a wireless LAN with a level of security and privacy comparable to that of a wired LAN?
WEP
What is a Wi-Fi security protocol using TKIP and MIC to provide encryption and authentication?
WPA
What is a Wi-Fi security protocol that uses 128-bit AES AND CCMP for wireless data encryption?
WPA2
What wireless security protocol is defined by the *802.11i standard*?
WPA2
What is a Wi-Fi security protocol that uses GCMP-256 for encryption and HMAC-SHA-384 for authentication?
WPA3
What tool does the material recommend for *detecting WPS-enabled APs*?
Wash
What *Wi-Fi hotspot finder tool* does the material recommend?
Wi-Fi Finder
What *mobile Wi-Fi discovery tool* does the material recommend?
WiFi Analyzer
What *war driving* tool does the material recommend?
WiGLE
What is an attack that can obtain 1500 bytes of the pseudo random generation algorithm, which can be used with *packetforge-ng* to perform various injection attacks?
Wireless fragmentation attack
What is an attack where an attacker locates himself within the target network and exploits dynamic routing protocols such as DSR and AODV to create a tunnel to forward data between source and destination nodes, giving them the ability to sniff traffic?
Wormhole attack
What is a unidirectional antenna commonly used in communications for a frequency band of 10 MHz to VHF and UHF?
Yagi antenna
What *aircrack-ng* script is used for cracking credentials found in captured traffic?
aircrack-ng
What *aircrack-ng* script is used for *generating traffic* that can aid in the cracking process?
aireplay-ng
What *aircrack-ng* script enables you to enter *monitor mode* on your wireless card?
airmon-ng
What *aircrack-ng* script is used for *capturing 802.11 packets*?
airodump-ng
What *btlejack* command allows an attacker to *sniff new Bluetooth low-energy connections*?
btlejack -c any