Module 16 Quiz - Hacking Wireless Networks
Which of the following bluetooth mode filters out non-matched IACs and reveals itself only to those that matched? Discoverable Limited discoverable Non-discoverable Pairable mode
Limited discoverable Explanation: Discoverable: When Bluetooth devices are in discoverable mode, they are visible to other Bluetooth-enabled devices. Limited discoverable: In limited discoverable mode, Bluetooth devices are discoverable only for a limited period, for a specific event, or during temporary conditions. When a device is set to the limited discoverable mode, it filters out non-matched IACs and reveals itself only to those that matched. Non-discoverable: Setting the Bluetooth device to non-discoverable mode prevents that device from appearing on the list during a Bluetooth-enabled device search process. Pairable mode: In pairable mode, the Bluetooth device accepts the pairing request when asked, and establishes a connection with the pair requesting device.
Which of the following is considered as a token to identify a 802.11 (Wi-Fi) network (by default it is the part of the frame header sent over a wireless local area network (WLAN))? SSID Hotspot Access Point Association
SSID Explanation: An SSID is a human-readable text string with a maximum length of 32 bytes. The SSID is a token to identify an 802.11 (Wi-Fi) network; by default, it is a part of the frame header sent over a wireless local area network (WLAN). It acts as a single shared identifier between the access points and clients. If the SSID of the network is changed, reconfiguration of the SSID on every host is required, as every user of the network configures the SSID into their system.
A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the corporate network. What tool should the analyst use to perform a Blackjacking attack? Paros Proxy BBProxy BBCrack Blooover
BBProxy Explanation: Paros Proxy is a Java-based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. BBproxy is a security assessment tool that is written in Java and runs on Blackberry devices. lt allows the device to be used as a proxy between the Internet and an internal network. bbcrack: (Balbucrack) is a tool to crack typical malware obfuscation such as XOR, ROL, ADD (and many combinations), by brute forcing all possible keys and checking for specific patterns (IP addresses, domain names, URLs, known file headers and strings, etc) using the balbuzard engine. Blooover is a J2ME Phone Auditing Tool. Since Adam Laurie's BlueSnarf experiment and the subsequent BlueBug experiment it is proven that some Bluetooth-enabled phones have security issues.
Which of the following terms is used to describe an attack in which an attacker gains remote access to a target Bluetooth-enabled device without the victim being aware of it? Bluesmacking Bluejacking Bluesnarfing Bluebugging
Bluebugging
WPA2 uses AES for wireless data encryption at which of the following encryption levels? 64 bit and CCMP 128 bit and CRC 128 bit and CCMP 128 bit and TKIP
128 bit and CCMP Explanation:CRC 128 bit, TKIP 128 bit is used by WPA. CCMP 128 bit is used by WPA2 for wireless data encryption.
Which of the following describes the amount of information that may be broadcasted over a connection? Bandwidth Hotspot BSSID Association
Bandwidth Explanation: The bandwidth describes the amount of information that may be broadcasted over a connection. Usually, a bandwidth refers to the rate of data transfer. The unit of measuring the bandwidth is bits (amount of data) per second (bps).
Fill in the blank. _________ is the art of collecting information about Bluetooth enabled devices such as manufacturer, device model and firmware version. BluePrinting Bluejacking Bluebugging BlueSniff
BluePrinting
Thomas is a cyber thief trying to hack Bluetooth-enabled devices at public places. He decided to hack Bluetooth-enabled devices by using a DoS attack. He started sending an oversized ping packet to a victim's device, causing a buffer overflow and finally succeeded. What type of Bluetooth device attack is Thomas most likely performing? Bluesmacking Bluejacking Blue Snarfing Bluebugging
Bluesmacking
In which of the following attacks does the attacker exploit the vulnerability in the Object Exchange (OBEX) protocol that Bluetooth uses to exchange information? BlueSniff Bluesnarfing Bluejacking Bluebugging
Bluesnarfing Explanation:In Bluesnarf, an attacker exploits the vulnerability in the Object Exchange (OBEX) protocol that Bluetooth uses to exchange information. The attacker connects with the target and performs a GET operation for files with correctly guessed or known names, such as /pb.vcf for the device's phonebook or telecom /cal.vcs for the device's calendar file.
Which of the following availability attacks involve exploiting the CSMA/CA Clear Channel Assessment (CCA) mechanism to make a channel appear busy? Beacon Flood Routing Attack Authenticate Flood Denial-of-Service
Denial-of-Service
Which type of antenna is used in wireless communication? Omnidirectional Parabolic Uni-directional Bi-directional
Omnidirectional Explanation:Omnidirectional antennas radiate electromagnetic energy in all directions. They usually uniformly radiate strong waves in two dimensions, but not as strong in the third. A good example of an omnidirectional antenna is one used by radio stations. These antennas are effective for radio signal transmission because the receiver may not be stationary. Therefore, a radio can receive a signal regardless of where it is.
Which of the following protocol encapsulates the EAP within an encrypted and authenticated Transport Layer Security (TLS) tunnel? RADIUS PEAP LEAP CCMP
PEAP Explanation: RADIUS: It is a centralized authentication and authorization management system.PEAP: It is a protocol that encapsulates the EAP within an encrypted and authenticated Transport Layer Security (TLS) tunnel.LEAP: It is a proprietary version of EAP developed by Cisco.CCMP: It is an encryption protocol used in WPA2 for stronger encryption and authentication.
Which of the following types of antennas is useful for transmitting weak radio signals over very long distances - on the order of 10 miles? Omnidirectional Parabolic grid Uni-directional Bi-directional
Parabolic grid
Which of the following types of antennas is useful for transmitting weak radio signals over very long distances - on the order of 10 miles? Uni-directional Omnidirectional Parabolic grid Bi-directional
Parabolic grid Explanation:A parabolic grid antenna uses the same principle as that of a satellite dish, but it does not have a solid backing. It consists of a semidish that is in the form of a grid made of aluminum wire. These parabolic grid antennas can achieve very long-distance Wi-Fi transmissions by using a highly focused radio beam. This type of antenna is useful for transmitting weak radio signals over very long distances - on the order of 10 miles. This enables attackers to get better signal quality, resulting in more data on which to eavesdrop, more bandwidth to abuse, and higher power output that is essential in layer 1 denial of service (DoS) and man-in-the-middle (MITM) attacks. The design of this antenna saves weight and space, and it can pick up Wi-Fi signals that are either horizontally or vertically polarized.
Which of the following Encryption techniques is used in WEP? RC4 TKIP AES DES
RC4 Explanation: WEP utilizes an encryption mechanism at the data link layer for minimizing unauthorized access on the WLAN. This is accomplished by encrypting data with the symmetric RC4 encryption algorithm—a cryptographic mechanism used to defend against threats.TKIP, AES and DES are some of the other types of encryptions.
Which of the following consists of 40/104 bit Encryption Key Length? WPA WEP RSA WPA2
WEP Explanation:The length of the WEP and the secret key are:? 64-bit WEP uses a 40-bit key? 128-bit WEP uses a 104-bit key size? 256-bit WEP uses 232-bit key sizeWEP normally uses a 40-bit or 104-bit encryption key, whereas TKIP in WPA uses 128-bit keys for each packet. The message integrity check for WPA avoids the chances of the attacker changing or resending the packets.
Which of the following does not provide cryptographic integrity protection? WEP WPA WPA2 TKIP
WEP Explanation:WEP does not provide cryptographic integrity protection. By capturing two packets, an attacker can flip a bit in the encrypted stream and modify the checksum so that the packet is accepted.
Which of the following device is used to analyze and monitor the RF spectrum? WIDS Router Firewall Switch
WIDS Explanation:The Wireless Intrusion Detection System (WIDS) analyzes and monitors the RF spectrum. Alarm generation helps in detecting unauthorized wireless devices that violate the security policies of the network.
This application is a Wi-Fi security tool for mobile devices, It works on both Root and Non-root devices, and it can prevent ARP spoofing attacks such as MITM attacks, which are used by some applications such as WifiKill, dSploit, and sniffers. WiFiGuard Airbase-ng Wifi Inspector inSSIDer
WiFiGuard Explanation: WiFiGurad can work on both Root and Non-root devices. This application can prevent ARP spoofing attacks such as MITM attacks, which are used by some applications such as WifiKill, dSploit, and sniffers. o Non-root features: Gives information about the attack. o Root features: Active mode that restores the ARP table, Passive mode for static ARP table.
Which of the following networks is used for very long-distance communication? ZigBee Bluetooth WiMax Wi-Fi
WiMax Explanation: The IEEE 802.16 standard is a wireless communications standard designed to provide multiple physical layer (PHY) and media access control (MAC) options. It is also known as WiMax. This standard is a specification for fixed broadband wireless metropolitan access networks (MANs) that use a point-to-multipoint architecture. It has a range of 1609.34 - 9656.06 kilometers (1-6 miles).
John is a pen tester working with an information security consultant based in Paris. As part of a penetration testing assignment, he was asked to perform wireless penetration testing for a large MNC. John knows that the company provides free Wi-Fi access to its employees on the company premises. He sets up a rogue wireless access point with the same SSID as that of the company's Wi-Fi network just outside the company premises. He sets up this rogue access point using the tools that he has and hopes that the employees might connect to it. What type of wireless confidentiality attack is John trying to do? Evil Twin AP KRACK Attack War Driving WEP Cracking
Evil Twin AP Explanation: Evil twin AP: It is a rough access point masquerading as a genuine Wi-Fi access point. Once a user connects to it, the attacker can intercept confidential information. KRACK attack: KRACK attack stands for Key Reinstallation Attack. This attack exploits the flaws present in the implementation of a 4-way handshake process in WPA2 authentication protocol that is used to establish a connection between a device and the Access Point (AP). War Driving: It is an act of searching and exploiting Wi-Fi wireless networks while driving around a city or elsewhere. WEP Cracking: It is a process of capturing data to recover a WEP key using WEP cracking tools such as Aircrack-ng.
Which of the following protocols is used by BlueJacking to send anonymous messages to other Bluetooth-equipped devices? LMB OBEX L2CAP SDP
OBEX Explanation: Link management protocol (LMP): Is used for control of the radio link between two devices, handling matters such as link establishment, querying device abilities and power control. It is implemented on the controller. OBEX: Object Exchange protocol is used for communicating binary objects between devices. BlueJacking is sending anonymous messages to other Bluetooth-equipped devices via the OBEX protocol. Logical link control and adaptation protocol (L2CAP): L2CAP passes packets to either the Host Controller Interface (HCI) or on a hostless system, directly to the Link Manager/ACL link. Service discovery protocol (SDP): Is used to allow devices to discover what services each other support, and what parameters to use to connect to them.
Which of the following is to be used to keep certain default wireless messages from broadcasting the ID to everyone? SSID Cloaking Bluejacking Bluesmacking MAC Spoofing
SSID Cloaking Explanation:SSID Cloaking: It is a technique used to provide wireless security by hiding the SSID and network name from public broadcasting. Use SSID cloaking to keep certain default wireless messages from broadcasting the ID to everyone.Bluejacking: Bluejacking is the use of Bluetooth to send messages to users without the recipient's consent, similar to email spamming.Bluesmacking: A Bluesmacking attack occurs when an attacker sends an oversized ping packet to a victim's device, causing a buffer overflow.MAC Spoofing: MAC Spoofing Attack is a passive attack in which attackers spoof the MAC address of the target Bluetooth-enabled device, in order to intercept or manipulate the data sent towards the target device.
Which of the following Encryption technique is used in WPA? RSA TKIP AES DES
TKIP Explanation:WPA has better data encryption security than WEP, as messages pass through a Message Integrity Check (MIC) using the Temporal Key Integrity Protocol (TKIP). It uses a Temporal Key Integrity Protocol (TKIP) that utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit MIC integrity check to provide stronger encryption, and authentication.RSA, AES and DES are some of the other types of encryptions.
True or False. In LAN-to-LAN Wireless Network, the APs provide wireless connectivity to local computers, and computers on different networks that can be interconnected? True False
True
Which of the following is a standard for Wireless Local Area Networks (WLANs) that provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards? 802.11n 802.11i 802.11d 802.11e
802.11i Explanation:802.11n: The IEEE 802.11n is a revision that enhances the earlier 802.11g standards with multiple-input multiple-output (MIMO) antennas. It works in both the 2.4 GHz and 5 GHz bands. This is an IEEE industry standard for Wi-Fi wireless local network transportations. Digital Audio Broadcasting (DAB) and Wireless LAN use OFDM.802.11i: The IEEE 802.11i standard improves WLAN security by implementing new encryption protocols such as TKIP and AES. It is a standard for wireless local area networks (WLANs) that provides improved encryption for networks that use the popular 802.11a, 802.11b (which includes Wi-Fi) and 802.11g standards.802.11d: The 802.11d is an enhanced version of 802.11a and 802.11b. The standard supports regulatory domains. The particulars of this standard can be set at the media access control (MAC) layer.802.11e: It is used for real-time applications such as voice, VoIP, and video. To ensure that these time-sensitive applications have the network resources they need, 802.11e defines mechanisms to ensure Quality of Service (QoS) to Layer 2 of the reference model, the medium-access layer, or MAC.
Which of the following cryptographic algorithms is used by CCMP? AES DES RC4 TKIP
AES Explanation:CCMP is an encryption protocol used in WPA2 for stronger encryption and authentication. WPA2 is an upgrade to WPA using AES and CCMP for wireless data encryption. WPA2 introduces the use of the National Institute of Standards and Technology (NIST) FIPS 140-2-compliant AES encryption algorithm, a strong wireless encryption, and counter mode cipher block chaining message authentication code protocol (CCMP). It provides stronger data protection and network access control. It gives a high level of security to Wi-Fi connections, so that only authorized users can access it.
Which of the following is used to connect wireless devices to a wireless/wired network? Bandwidth Hotspot Access point (AP) Association
Access point (AP) Explanation:Bandwidth: It describes the amount of information that may be broadcasted over a connection. Usually, bandwidth refers to the data transfer rate. The unit of measuring the bandwidth is bits (amount of data) per second (bps)Hotspot: Places where wireless networks are available for public use. Hotspots refer to areas with Wi-Fi availability, where users can enable Wi-Fi on their devices and connect to the Internet through a hotspot.Access point (AP): Access point (AP) is used to connect wireless devices to a wireless/wired network. It allows wireless communication devices to connect to a wireless network through wireless standards such as Bluetooth and Wi-Fi. It serves as a switch or a hub between the wired LAN and wireless network.Association: The process of connecting a wireless device to an APAnswer is access point.
An attacker collects the make and model of target Bluetooth-enabled devices analyzes them in an attempt to find out whether the devices are in the range of vulnerability to exploit. Identify which type of attack is performed on Bluetooth devices. BlueSniff Bluebugging BluePrinting MAC Spoofing Attack
BluePrinting Explanation:BlueSniff: BlueSniff is a proof of concept code for a Bluetooth wardriving utility. It is useful for finding hidden and discoverable Bluetooth devices. Bluebugging: Bluebugging is an attack in which an attacker gains remote access to a target Bluetooth-enabled device without the victim being aware of it. In this attack, an attacker sniffs sensitive information and might perform malicious activities such as intercepting phone calls and messages, forwarding calls and text messages, etc.BluePrinting: BluePrinting is a footprinting technique performed by an attacker in order to determine the make and model of the target Bluetooth-enabled device. Attackers collect this information to identify model, manufacturer, etc. and analyze them in an attempt to find out whether the devices are in the range of vulnerability to exploit.MAC Spoofing Attack: MAC Spoofing Attack is a passive attack in which attackers spoof the MAC address of the target Bluetooth-enabled device, in order to intercept or manipulate the data sent towards the target device.
Which of the following Bluetooth attack allows attacker to gain remote access to a target Bluetooth-enabled device without the victim being aware of it? Bluebugging Bluesmacking BluePrinting Bluejacking
Bluebugging Explanation: Bluebugging: Bluebugging is an attack in which an attacker gains remote access to a target Bluetooth-enabled device without the victim being aware of it. In this attack, an attacker sniffs sensitive information and might perform malicious activities such as intercepting phone calls and messages, forwarding calls and text messages, etc. Bluesmacking: A Bluesmacking attack occurs when an attacker sends an oversized ping packet to a victim's device, causing a buffer overflow. This type of attack is similar to an ICMP ping of death. BluePrinting: BluePrinting is a footprinting technique performed by an attacker in order to determine the make and model of the target Bluetooth-enabled device. Attackers collect this information to create infographics of the model, manufacturer, etc. and analyze them in an attempt to find out whether the devices are in the range of vulnerability to exploit. Bluejacking: Bluejacking is the use of Bluetooth to send messages to users without the recipient's consent, similar to email spamming. Prior to any Bluetooth communication, the device initiating connection must provide a name that is displayed on the recipient's screen. As this name is user-defined, it can be set to be an annoying message or advertisement. Strictly speaking, Bluejacking does not cause any damage to the receiving device. However, it may be irritating and disruptive to the victims.
Mark is working as a penetration tester in InfoSEC, Inc. One day, he notices that the traffic on the internal wireless router suddenly increases by more than 50%. He knows that the company is using a wireless 802.11 a/b/g/n/ac network. He decided to capture live packets and browse the traffic to investigate the issue to find out the actual cause. Which of the following tools should Mark use to monitor the wireless network? CommView for WiFi WiFiFoFum BlueScanner WiFish Finder
CommView for WiFi\ CommView for WiFi: CommView for Wi-Fi is a wireless network monitor and analyzer for 802.11 a/b/g/n networks. It captures packets to display important information such as the list of APs and stations, per-node and per-channel statistics, signal strength, a list of packets and network connections, protocol distribution charts, etc. By providing this information, CommView for Wi-Fi can view and examine packets, pinpoint network problems, and troubleshoot software and hardware. WiFiFoFum: WiFiFoFum is a wardriving app to locate, display and map found WiFi networks. WiFiFoFum scans for 802.11 Wi-Fi networks and displays information about each including: SSID, MAC, RSSI, channel, and security. WiFiFoFum also allows you to connect to networks you find and log the location using the GPS. KML logs can be emailed. BlueScan: BlueScan is a bash script that implements a scanner to detect Bluetooth devices that are within the range of our system. BlueScan works in a non-intrusive way, that is, without establishing a connection with the devices found and without being detected. Superuser privileges are not necessary to execute it. WiFish Finder: WiFish Finder is a tool for assessing whether WiFi devices active in the air are vulnerable to 'Wi-Fishing' attacks. Assessment is performed through a combination of passive traffic sniffing and active probing techniques. Most WiFi clients keep a memory of networks (SSIDs) they have connected to in the past. Wi-Fish Finder first builds a list of probed networks and then using a set of clever techniques also determines security setting of each probed network. A client is a fishing target if it is actively seeking to connect to an OPEN or a WEP network.
In which of the following layers of wireless security does per frame/packet authentication provide protection against MITM attacks? Device Security Data Protection Connection Security Wireless Signal Security
Connection Security Explanation:Connection Security: Per frame/packet authentication provides protection against MITM attacks. It does not allow the attacker to sniff data when two genuine users are communicating with each other, thereby securing the connection.
In which of the following is the original data signal multiplied with a pseudo random noise spreading code? Orthogonal Frequency-division Multiplexing (OFDM) Multiple input, multiple output orthogonal frequency-division multiplexing (MIMO-OFDM) Direct-sequence Spread Spectrum (DSSS) Frequency-hopping Spread Spectrum (FHSS)
Direct-sequence Spread Spectrum (DSSS) Explanation: Orthogonal Frequency-division Multiplexing (OFDM): OFDM is a method of digital modulation of data in which a signal, at a chosen frequency, is split into multiple carrier frequencies that are orthogonal (occurring at right angles) to each other. OFDM maps information on the changes in the carrier phase, frequency, or amplitude, or a combination of these, and shares bandwidth with other independent channels. Multiple input, multiple output-orthogonal frequency-division multiplexing (MIMO-OFDM): MIMO-OFDM influences the spectral efficiency of 4G and 5G wireless communication services. Adopting the MIMO-OFDM technique reduces the interference and increases how robust the channel is. Direct-sequence Spread Spectrum (DSSS): DSSS is a spread spectrum technique that multiplies the original data signal with a pseudo random noise spreading code. Also referred to as a data transmission scheme or modulation scheme, the technique protects signals against interference or jamming. Frequency-hopping Spread Spectrum (FHSS): Frequency-hopping Spread Spectrum (FHSS) is the method of transmitting radio signals by rapidly switching a carrier among many frequency channels. Direct-sequence Spread Spectrum (DSSS) refers to the original data signal and is multiplied with a pseudo random noise spreading code. Multiple input, multiple output orthogonal frequency-division multiplexing (MIMO-OFDM) is an air interface for 4G and 5G broadband wireless communications and Orthogonal Frequency-division Multiplexing (OFDM) is the method of encoding digital data on multiple carrier frequencies.
Steven, a wireless network administrator, has just finished setting up his company's wireless network. He has enabled various security features such as changing the default SSID and enabling strong encryption on the company's wireless router. Steven decides to test the wireless network for confidentiality attacks to check whether an attacker can intercept information sent over wireless associations, whether sent in clear text or encrypted by Wi-Fi protocols. As a part of testing, he tries to capture and decode unprotected application traffic to obtain potentially sensitive information using hardware or software tools such as Ettercap, Kismet, Wireshark, etc. What type of wireless confidentiality attack is Steven trying to do? Eavesdropping Evil twin AP Masquerading WEP Key Cracking
Eavesdropping
There is a WEP encrypted wireless AP with no clients connected. In order to crack the WEP key, a fake authentication needs to be performed. Which of the following steps need to be performed by the attacker for generating fake authentication? Set the wireless interface to monitor mode Ensure association of source MAC address with the AP Capture the IVs Use cracking tools
Ensure association of source MAC address with the AP Explanation:To break WEP encryption the attacker follows these steps:? Start the wireless interface in monitor mode on the specific AP channelIn this step, the attacker sets the wireless interface to monitor mode. The interface can listen to every packet in the air. The attacker can select some packets for injection by listening to every packet available in the air.? Test the injection capability of the wireless device to the APThe attacker tests whether the wireless interface is within the range of the specified AP and whether it is capable of injecting packets to it.? Use a tool such as aireplay-ng to do a fake authentication with the APThe attacker ensures that the source MAC address is already associated, so that the AP accepts the injected packets. The injection will fail due to the lack of association with the AP.? Start the Wi-Fi sniffing toolThe attacker captures the IVs generated by using tools such as Cain & Abel and airodump-ng with a BSSID filter to collect unique IVs.? Start a Wi-Fi packet encryption tool such as aireplay-ng in ARP request replay mode to inject packetsTo gain a large number of IVs in a short period, the attacker turns the aireplay-ng into ARP request replay mode, which listens for ARP requests and then re-injects them back into the network. The AP usually rebroadcasts packets generating a new IV. So in order to gain a large number of IVs, the attacker selects the ARP request mode.? Run a cracking tool such as Cain & Abel or aircrack-ngUsing cracking tools such as Cain & Abel or aircrack-ng the attacker can extract WEP encryption keys from the IVs.
Posing as an authorized AP by beaconing the WLAN's SSID to lure users is known as __________. Evil Twin AP Masquerading Man-in-the-Middle Attack Honeypot Access Point
Evil Twin AP
Which of the following is considered as the method of transmitting radio signals by rapidly switching a carrier among many frequency channels? Orthogonal Frequency-division Multiplexing (OFDM) Multiple input, multiple output orthogonal frequency-division multiplexing (MIMO-OFDM) Direct-sequence Spread Spectrum (DSSS) Frequency-hopping Spread Spectrum (FHSS)
Frequency-hopping Spread Spectrum (FHSS) Explanation: Orthogonal Frequency-division Multiplexing (OFDM): OFDM is a method of digital modulation of data in which a signal, at a chosen frequency, is split into multiple carrier frequencies that are orthogonal (occurring at right angles) to each other. OFDM maps information on the changes in the carrier phase, frequency, or amplitude, or a combination of these, and shares bandwidth with other independent channels. It produces a transmission scheme that supports higher bit rates than a parallel channel operation. It is also a method of encoding digital data on multiple carrier frequencies. Multiple input, multiple output-orthogonal frequency-division multiplexing (MIMO-OFDM): MIMO-OFDM influences the spectral efficiency of 4G and 5G wireless communication services. Adopting the MIMO-OFDM technique reduces the interference and increases how robust the channel is. Direct-sequence Spread Spectrum (DSSS): DSSS is a spread spectrum technique that multiplies the original data signal with a pseudo random noise spreading code. Also referred to as a data transmission scheme or modulation scheme, the technique protects signals against interference or jamming. Frequency-hopping Spread Spectrum (FHSS): Frequency-hopping Spread Spectrum (FHSS) is the method of transmitting radio signals by rapidly switching a carrier among many frequency channels. Direct-sequence Spread Spectrum (DSSS) refers to the original data signal and is multiplied with a pseudo random noise spreading code. Multiple input, multiple output orthogonal frequency-division multiplexing (MIMO-OFDM) is an air interface for 4G and 5G broadband wireless communications and Orthogonal Frequency-division Multiplexing (OFDM) is the method of encoding digital data on multiple carrier frequencies. Answer is Frequency-hopping Spread Spectrum (FHSS).
Which of the following Wi-Fi discovery tools facilitates detection of Wireless LANs using the 802.11a/b/g WLAN standards and is commonly used for wardriving, verifying network configurations, finding locations with poor coverage and detecting rouge APs? NetStumbler WeFi AirCrack-NG WifiScanner
NetStumbler Explanation: NetStumbler (also known as Network Stumbler) is a tool for Windows that facilitates detection of Wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards.The program is commonly used for: Wardriving Verifying network configurations Finding locations with poor coverage in a WLAN Detecting causes of wireless interference Detecting unauthorized ("rogue") access points Aiming directional antennas for long-haul WLAN links WeFi is a free Windows utility that helps you connect to open Wi-Fi hotspots. Sifting through the dozens of available hot spots sucks up valuable time that you could be using to work. Aircrack- ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security such as, monitoring, packet capture and export of data to text files for further processing by third party tools.
Which of the following techniques is used to detect rogue APs? RF Scanning Passphrases AES/CCMP encryption Non-discoverable mode
RF Scanning Explanation:RF Scanning: Re-purposed APs that do only packet capturing and analysis (RF sensors) are plugged in all over the wired network to detect and warn the WLAN administrator about any wireless devices operating in the area. Passphrases: It is used to defend against WPA/WPA2 cracking.AES/CCMP encryption: It is used to defend against WPA/WPA2 cracking.Non-discoverable mode: Setting the Bluetooth device to non-discoverable mode prevents that device from appearing on the list during a Bluetooth-enabled device search process. However, it is still visible to those users and devices who paired with the Bluetooth device previously or who know the MAC address of the Bluetooth device.
Andrew, a professional penetration tester, was hired by ABC Security, Inc., a small IT-based firm in the United States to conduct a test of the company's wireless network. During the information-gathering process, Andrew discovers that the company is using the 802.11 g wireless standard. Using the NetSurveyor Wi-Fi network discovery tool, Andrew starts gathering information about wireless APs. After trying several times, he is not able to detect a single AP. What do you think is the reason behind this? SSID broadcast feature must be disabled, so APs cannot be detected. NetSurveyor does not work against 802.11g. Andrew must be doing something wrong, as there is no reason for him to not detect access points. MAC address filtering feature must be disabled on APs or router.
SSID broadcast feature must be disabled, so APs cannot be detected. Explanation:NetSurveyor is an 802.11 (Wi-Fi) network discovery tool that gathers information about nearby wireless access points in real time and displays it in useful ways. It is a network discovery tool that reports the SSID for each wireless network it detects, along with the channel used by the AP servicing that network. In a secure business environment, this tool is used for detecting the presence of rogue APs. A Wi-Fi network discovery tool will not be able to detect SSID and a wireless network if the SSID broadcast feature is disabled in the AP.
Which of the following countermeasures helps in defending against WPA/WPA2 cracking? Avoid using public Wi-Fi networks Make sure to enable two factor authentication Change the default SSID after WLAN configuration Select a random passphrase that is not made up of dictionary words
Select a random passphrase that is not made up of dictionary words Explanation: Defend Against WPA/WPA2 Cracking: Passphrases The only way to crack WPA is to sniff the password PMK associated with the "handshake" authentication process, and if this password is extremely complicated, it will be almost impossible to crack. Select a random passphrase that is not made up of dictionary words Select a complex passphrase of a minimum of 20 characters in length and change it at regular intervals
In which of the following processes do the station and access point use the same WEP key to provide authentication, which means that this key should be enabled and configured manually on both the access point and the client? Open-system authentication process Shared key authentication process WPA encryption WEP encryption
Shared key authentication process Explanation:In a shared key authentication process, each wireless station receives a shared secret key over a secure channel that is distinct from the 802.11 wireless network communication channels. The following steps illustrate the establishment of connection in the shared key authentication process:? The station sends an authentication frame to the AP.? The AP sends a challenge text to the station.? The station encrypts the challenge text by making use of its configured 64- or 128-bit key, and it sends the encrypted text to the AP.? The AP uses its configured WEP key to decrypt the encrypted text. The AP compares the decrypted text with the original challenge text. If the decrypted text matches the original challenge text, the AP authenticates the station.? The station connects to the network.
In which type of bluetooth threat does an attacker trick Bluetooth users to lower security or disable authentication for Bluetooth connections in order to pair with them and steal information? Bugging Devices Remote Control Social Engineering Malicious Code
Social Engineering Explanation: Bugging Devices: Attackers could instruct the user to make a phone call to other phones without any user interaction. They could even record the user's conversation. Remote Control: Hackers can remotely control a phone to make phone calls or connect to the Internet. Social Engineering: Attackers trick Bluetooth users to lower security or disable authentication for Bluetooth connections in order to pair with them and steal information. Malicious Code: Mobile phone worms can exploit a Bluetooth connection to replicate and spread themselves.
During a wireless penetration test, a tester detects an AP using the WPA2 encryption. Which of the following attacks should be used to obtain the key? The tester must capture the WPA2 authentication handshake and then crack it. The tester must use the tool inSSIDer to crack it using the ESSID of the network. The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard. The tester must change the MAC address of the wireless network card and then use the AirTraf tool to obtain the key.
The tester must capture the WPA2 authentication handshake and then crack it. Explanation:An attacker may succeed in unauthorized access to the target network by trying various method such as launching various wireless attacks, placing rogue APs, evil twins, etc. The next step for the attacker is to crack the security imposed by the target wireless network. Generally, a Wi-Fi network uses WEP or WPA/WPA2 encryption for securing wireless communication. The attacker now tries to break the security of the target wireless network by cracking these encryptions systems. Let us see how an attacker cracks these encryption systems to breach wireless network security.WPA encryption is less exploitable than WEP encryption. However, an attacker can still crack WPA/WPA2 by capturing the right type of packets. The attacker can perform this offline and needs to be near the AP for a few moments in order to capture the WPA/WPA2 authentication handshake.
Which of the following countermeasure helps in defending against KRACK attack? Enable MAC address filtering on access points or routers Turn On auto-updates for all the wireless devices and patch the device firmware Choose Wired Equivalent Privacy (WEP) instead of Wi-Fi Protected Access (WPA) Enable SSID broadcasts
Turn On auto-updates for all the wireless devices and patch the device firmware Explanation: Explanation:The Key Reinstallation Attack (KRACK) breaks the WPA2 protocol by forcing nonce reuse in encryption algorithms used by Wi-Fi. Following are some of the countermeasures to prevent KRACK attack: Update all the routers and Wi-Fi devices with the latest security patches Turn On auto-updates for all the wireless devices and patch the device firmware Avoid using public Wi-Fi networks Browse only secured websites and do not access the sensitive resource when your device is connected to an unprotected network If you own IoT devices, audit the devices and do not connect to the insecure Wi-Fi routers Always enable HTTPS Everywhere extension Make sure to enable two-factor authentication
Which of the following countermeasures helps in defending against Bluetooth hacking? Check the wireless devices for configuration or setup problems regularly. Use non-regular patterns as PIN keys while pairing a device. Use those key combinations that are non-sequential on the keypad. Place a firewall or packet filter between the AP and the corporate intranet. Implement an additional technique for encrypting traffic, such as IPSEC over wireless.
Use non-regular patterns as PIN keys while pairing a device. Use those key combinations that are non-sequential on the keypad. Explanation: SSID Settings Best Practices ? Use SSID cloaking to keep certain default wireless messages from broadcasting the ID to everyone .? Do not use your SSID, company name, network name, or any easy to guess string in passphrases. ? Place a firewall or packet filter in between the AP and the corporate Intranet. ? Limit the strength of the wireless network so it cannot be detected outside the bounds of your organization. ? Check the wireless devices for configuration or setup problems regularly. ? Implement an additional technique for encrypting traffic, such as IPSEC over wireless.Some of the countermeasures to defend against Bluetooth hacking: ? Use non-regular patterns as PIN keys while pairing a device. Use those key combinations which are non-sequential on the keypad. ? Keep BT in the disabled state, enable it only when needed and disable immediately after the intended task is completed. ? Keep the device in non-discoverable (hidden) mode. ? DO NOT accept any unknown and unexpected request for pairing your device. ? Keep a check of all paired devices in the past from time to time and delete any paired device that you are not sure about. ? Always enable encryption when establishing BT connection to your PC. ? Set Bluetooth-enabled device network range to the lowest and perform pairing only in a secure area. ? Install antivirus that supports host-based security software on Bluetooth-enabled devices.If multiple wireless communications are being used, make sure that encryption is empowered on each link in the communication chain.
Which of the following includes mandatory support for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)? TKIP WPA2 WPA WEP
WPA2 Explanation:WPA2 (Wi-Fi Protected Access 2) Encryption: WPA2 (Wi-Fi Protected Access 2) is a security protocol used to safeguard the wireless networks and has replaced WPA technology in 2006. It is compatible with the 802.11i standard and supports many security features that WPA does not support. WPA2 introduces the use of the National Institute of Standards and Technology (NIST) FIPS 140-2-compliant AES encryption algorithm, a strong wireless encryption, and Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP). It provides stronger data protection and network access control. It gives a high level of security to Wi-Fi connections, so that only authorized users can access it.WPA has better data encryption security than WEP, as messages pass through a Message Integrity Check (MIC) using the Temporal Key Integrity Protocol (TKIP). It uses a Temporal Key Integrity Protocol (TKIP) that utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit MIC integrity check to provide stronger encryption, and authentication.WEP utilizes an encryption mechanism at the data link layer for minimizing unauthorized access on the WLAN. This is accomplished by encrypting data with the symmetric RC4 encryption algorithm—a cryptographic mechanism used to defend against threats.
Donald works as a network administrator with ABCSecurity, Inc., a small IT based firm in San Francisco. He was asked to set up a wireless network in the company premises which provides strong encryption to protect the wireless network against attacks. After doing some research, Donald decided to use a wireless security protocol which has the following features: Provides stronger data protection and network access control Uses AES encryption algorithm for strong wireless encryption] Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) Which of the following wireless security protocol did Donald decide to use? WPA2 WEP WAP TKIP
WPA2 Explanation:WPA2 (Wi-Fi Protected Access 2) Encryption: WPA2 (Wi-Fi Protected Access 2) is a security protocol used to safeguard the wireless networks and has replaced WPA technology in 2006. It is compatible with the 802.11i standard and supports many security features that WPA does not support. WPA2 introduces the use of the National Institute of Standards and Technology (NIST) FIPS 140-2-compliant AES encryption algorithm, a strong wireless encryption, and Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP). It provides stronger data protection and network access control. It gives a high level of security to Wi-Fi connections, so that only authorized users can access it.WPA has better data encryption security than WEP, as messages pass through a Message Integrity Check (MIC) using the Temporal Key Integrity Protocol (TKIP). It uses a Temporal Key Integrity Protocol (TKIP) that utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit MIC integrity check to provide stronger encryption, and authentication.WEP utilizes an encryption mechanism at the data link layer for minimizing unauthorized access on the WLAN. This is accomplished by encrypting data with the symmetric RC4 encryption algorithm—a cryptographic mechanism used to defend against threats.TKIP: It is a security protocol used in WPA as a replacement for WEP.
In which of the following technique, an attacker draws symbols in public places to advertise open Wi-Fi networks? WarFlying WarWalking WarChalking WarDriving
WarChalking Explanation: WarWalking: Attackers walk around with Wi-Fi enabled laptops to detect open wireless networks. WarChalking: A method used to draw symbols in public places to advertise open Wi-Fi networks. WarFlying: Attackers use drones to detect open wireless networks. WarDriving: Attackers drive around with Wi-Fi enabled laptops to detect open wireless networks.
Which of the following techniques is used by network management software to detect rogue APs? RF scanning Wired side inputs AP scanning Virtual-private-network
Wired side inputs Explanation: RF Scanning: Re-purposed access points that do only packet capturing and analysis (RF sensors) are plugged in all over the wired network to detect and warn the WLAN administrator about any wireless devices operating in the area. Wired Side Inputs: Network management software uses this technique to detect rogue APs. This software detects devices connected in the LAN, including Telnet, SNMP, CDP (Cisco discovery protocol) using multiple protocols. AP Scanning: Access points that have the functionality of detecting neighboring APs operating in the nearby area will expose the data through its MIBS and web interface. Virtual-Private-Network: A Virtual Private Network (VPN) is a network that provides secure access to the private network through the internet. VPNs are used for connecting wide area networks (WAN). It allows computers on one network to connect to computers on another network.
Kenneth, a professional penetration tester, was hired by the XYZ Company to conduct wireless network penetration testing. Kenneth proceeds with the standard steps of wireless penetration testing. He tries to collect lots of initialization vectors (IVs) using the injection method to crack the WEP key. He uses the aircrack-ng tool to capture the IVs from a specific AP. Which of the following aircrack-ng commands will help Kenneth to do this? airodump-ng -c 9 -- bssid 00:14:6C:7E:40:80 -w output ath0 aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 ath0 airmon-ng start wifi0 9 aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
airodump-ng -c 9 -- bssid 00:14:6C:7E:40:80 -w output ath0 Explanation:Start airodump-ng to capture the IVs: The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific AP. Open another console session to capture the generated IVs. Then enter:airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output ath0Where:-c 9 is the channel for the wireless network--bssid 00:14:6C:7E:40:80 is the AP MAC address. This eliminates extraneous traffic.-w capture is file name prefix for the file which will contain the IVs.ath0 is the interface name.Test Wireless Device Packet Injection: The purpose of this step ensures that your card is within distance of your AP and can inject packets to it. Enter:aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 ath0Where:-9 means injection test-e teddy is the wireless network name-a 00:14:6C:7E:40:80 is the AP MAC addressath0 is the wireless interface nameStart the wireless card: Enter the following command to start the wireless card on channel 9 in monitor mode:airmon-ng start wifi0 9Substitute the channel number that your AP runs on for "9" in the command above.Use aireplay-ng to do a fake authentication with the AP: In order for an AP to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a "DeAuthentication" packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.To associate with an AP, use fake authentication:aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0Where:-1 means fake authentication0 reassociation timing in seconds-e teddy is the wireless network name-a 00:14:6C:7E:40:80 is the AP MAC address-h 00:0F:B5:88:AC:82 is our card MAC addressath0 is the wireless interface name