ITN - 261 Chapter 11
How many stages are used in the WPA handshake? 1. Two 2. Four 3. Three 4. One
2. Four There are four stages used in a WPA handshake. This four-stage process is used to derive the key and agree on capabilities.
What would a signal range for a Bluetooth device commonly be? 1. 300 ft. 2. 3,000 ft. 3. 75 ft. 4. 500 ft.
1. 300 ft. While there are Bluetooth devices that will transmit much further, a common range is about 300 feet (100 meters) for Bluetooth 4.0.
What is the policy that allows people to use their own smartphones on the enterprise network? 1. Bring your own device 2. Use your own device 3. Bring your own smart device 4. Use your own smart device
1. Bring your own device Bring your own device (BYOD) is a policy that allows employees to use their own devices on an enterprise network. This opens the door to the potential for attacks from unknown and unexpected devices. None of the other answers are real things.
Why is bluesnarfing potentially more dangerous than bluejacking from the standpoint of the victim? 1. Bluejacking sends while bluesnarfing receives. 2. Bluejacking receives while bluesnarfing sends. 3. Bluejacking installs keyloggers. 4. Bluesnarfing installs keyloggers.
2. Bluejacking receives while bluesnarfing sends. Bluesnarfing is an attack that connects to a Bluetooth device in order to grab data from that device. Bluesnarfing sends data to the attacker. Bluejacking can be used to send information to a Bluetooth device, such as a text message. Neither of these attacks install keyloggers.
What is the four-stage handshake used for? 1. Passing keys 2. Deriving keys 3. Encrypting messages 4. Initialization seeding
2. Deriving keys The four-stage handshake is used to authenticate stations against wireless networks. As part of the handshake, encryption keys are generated. Keys are derived on both sides of the transaction rather than being exchanged directly. This is handled during the four-way handshake. Keys are not passed. Messages can't be encrypted until the four-way handshake is complete and the keys are generated. There is no such thing as initialization seeding.
What is the purpose of a deauthentication attack? 1. Disabling stations 2. Forcing stations to reauthenticate 3. Reducing the number of steps in the handshake 4. Downgrading encryption
2. Forcing stations to reauthenticate The purpose of a deauthentication attack is to force stations to reauthenticate. This allows the attacker to collect information from the authentication and handshake. This information could be used later to potentially derive the key, as in WEP transmissions. A deauthentication attack doesn't disable stations. There is no way to reduce the number of steps in a handshake, and downgrading encryption is considerably harder, if it's possible at all.
What would you use a bluebugging attack for? 1. Identifying Bluetooth devices nearby 2. Listening to a physical space 3. Enabling a phone's camera 4. Gathering data from a target system
2. Listening to a physical space A bluebugging attack is used to gain access to a smartphone in order to initiate a call out to the attacker's phone. This allows the attacker to listen to anything happening around the phone owner. Scanning is used to identify Bluetooth devices nearby. There is no particular attack used to enable a phone's camera. Gathering data from a target device or system is bluesnarfing.
What mode has to be enabled on a network interface to allow all headers in wireless traffic to be captured? 1. Promiscuous 2. Monitor 3. Radio 4. Wireless LAN
2. Monitor Promiscuous mode is used on network interfaces to collect frames that are not destined for the network interface. This is insufficient on a wireless network because the radio headers are not captured. To capture radio headers, monitor mode needs to be enabled in addition to the promiscuous mode that will always be set to get all frames and all information from the frame. Only monitor mode gives the radio headers.
What types of authentication are allowed in a WPA-encrypted network? 1. Handshake and personal 2. Personal and enterprise 3. Enterprise and handshake 4. 802.11 and personal
2. Personal and enterprise WPA supports both Personal and Enterprise authentication. Personal authentication makes use of a pre-shared key, while Enterprise authentication uses usernames and passwords to authenticate specific users, providing accounting and access control, meaning we know exactly who has connected to the network.
How does an evil twin attack work? 1. Phishing users for credentials 2. Spoofing an SSID 3. Changing an SSID 4. Injecting four-way handshakes
2. Spoofing an SSID An evil twin attack uses an access point masquerading as the point of connection for stations trying to connect to a legitimate wireless network. Stations reach out to make connections to this access point masquerading as another access point. While you may phish for credentials as part of an evil twin attack, credential phishing is not how evil twin attacks work. SSIDs don't get changed as part of an evil twin attack, meaning no SSID that exists will become another SSID. Injecting four-way handshakes won't do much, since four-way assumes both ends are communicating, so the injection of a full communication stream will get ignored.
What is the SSID used for? 1. Encrypting messages 2. Providing a MAC address 3. Identifying a network 4. Seeding a key
3. Identifying a network The service set identifier (SSID) is used to identify a network. It is the name of the network you would select when you were trying to connect to a network. The SSID is not the MAC address, and it has nothing to do with keys or encryption.
What is the purpose of performing a Bluetooth scan? 1. Identifying open ports 2. Identifying available profiles 3. Identifying endpoints 4. Identifying vendors
3. Identifying endpoints Bluetooth doesn't use ports. While profiles are important, you get the profile capabilities during the pairing process. Just performing a scan won't get you a list of supported profiles. While you should be able to identify vendors as part of the process of running a Bluetooth scan, it's not the purpose of the scan. The purpose is to identify endpoints and their associated addresses so you can run other attacks on them.
What part of the encryption process was weak in WEP? 1. Keying 2. Diffie-Hellman 3. Initialization vector 4. Seeding vector
3. Initialization vector The initialization vector is a random value that seeds the key used for encryption and decryption. In WEP, the algorithm specified for the initialization vector yielded non-random, predictable values. While the initialization vector is part of keying, it's not the keying itself that was weak. Seeding vector is not a real thing, and Diffie-Hellman is a process used to derive and exchange keys securely. It's not part of WEP.
What wireless attack would you use to take a known piece of information in order to be able to decrypt wireless traffic? 1. Sniffing 2. Deauthentication 3. Key reinstallation 4. Evil twin
3. Key reinstallation Sniffing can be used to collect information that may be needed to launch wireless attacks. A deauthentication attack can be used to force a station to generate traffic. An evil twin attack uses a rogue access point to pretend to be a legitimate network. In order to decrypt network traffic, you would need the key. One way to get the key is to reuse information from network traffic that generated a known key. This is a key reinstallation attack.
What method might you use to successfully get malware onto a mobile device? 1. Using the Apple Store or Google Play store 2. Using external storage on an Android 3. Using a third-party app store 4. Jailbreaking
3. Using a third-party app store The Apple App Store and the Google Play Store are controlled by Apple and Google. It's not impossible to get malware onto mobile devices through them, but it's very difficult because apps get run through a vetting process. While some Android devices will support external storage, it's not an effective way to get malware onto a smartphone or other mobile device. Jailbreaking can lead to malware being installed, but it's not the means to get malware onto a mobile device. Third-party app stores can be a good means to get malware onto mobile devices because some third-party app stores don't vet apps that are submitted.
What tool would allow you to run an evil twin attack? 1. Wireshark 2. Ettercap 3. Wifiphisher 4. Aircrack-ng
3. Wifiphisher Wireshark is used to capture packets/frames from a network. Ettercap is used for spoofing attacks. The program aircrack-ng can be used to crack wireless keys. Wifiphisher, though, can be used to set up an evil twin attack.
What tool could you use to enable sniffing on your wireless network to acquire all headers? 1. Ettercap 2. Tcpdump 3. Aircrack-ng 4. Airmon-ng
4. Airmon-ng (Air Monitoring - Next Generation) Tcpdump can be used to capture frames/packets. Ettercap is used for captures and spoofing attacks. Neither can capture all headers, including radio headers in a wireless network. The package aircrack-ng includes the program airmon-ng, which can turn on monitor mode on a network interface. The program aircrack-ng itself cannot do that.
What are the two types of wireless networks? 1. Star and ring 2. Bus and hybrid 3. Infrastructure and hybrid 4. Infrastructure and ad hoc
4. Infrastructure and ad hoc An infrastructure wireless network is one that uses an access point. An ad hoc wireless network is one organized by the participants. These are the two types of wireless networks. Star, ring, bus, and hybrid are all wired topologies.
What wouldn't you see when you capture wireless traffic that includes radio headers? 1. Capabilities 2. Probe requests 3. SSIDs 4. Network type
4. Network type Radio headers in a wireless network will provide you with the capabilities of the devices, since that's negotiated during the association process. You will also see probe requests asking what networks are in the area, including specific networks that a station knows about. These requests will include the SSID. The responses will also include the SSID. You will not get the network type in the headers.
What kind of access point is being used in an evil twin attack? 1. Infrastructure 2. Ad hoc 3. WPA 4. Rogue
4. Rogue Ad hoc and infrastructure are types of wireless networks. Only infrastructure uses access points, but infrastructure is not a type of access point. WPA is an encryption protocol. A rogue access point, meaning one that isn't legitimate, is used in an evil twin attack by pretending to be a legitimate access point.