07 Wireless Network Hacking Flashcards

1
Q
  1. Which of the following is a true statement?

A. Kismet can be installed on Windows but not on Linux.
B. NetStumbler can be installed on Linux but not on Windows.
C. Kismet cannot monitor traffic on 802.11n networks.
D. NetStumbler cannot monitor traffic on 802.11n networks.

A

D. Not only is this question overly confusing and very tool specific, it’s pretty much exactly the type of question you’ll see on your exam. Kismet and NetStumbler are both wireless monitoring tools with detection and sniffing capabilities. NetStumbler is Windows specific, whereas Kismet can be installed on virtually anything. Both do a great job of monitoring 802.11a, b, and g networks, but NetStumbler can’t handle 802.11n. Kismet can even be used as an IDS for your wireless network!
One last fun fact to know in relation to this question—Kismet does a better job of pulling management packets. A lot of wireless cards on Windows systems don’t support monitor mode and have a difficult time pulling management and control packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Which of the following use a 48-bit initialization vector? (Choose all that apply.)

A. WEP
B. WPA
C. WPA2
D. WEP2

A

B, C. One of the improvements from WEP to WPA involved extending the initialization vector (IV) to 48 bits from 24 bits. While this may seem like a simple doubling of options, you’ve got to remember each additional bit exponentially increases the keyspace. An IV provides for confidentiality and integrity. Wireless encryption algorithms use it to calculate an integrity check value (ICV), appending it to the end of the data payload. The IV is then combined with a key to be input into an algorithm (RC4 for WEP, AES for WPA2). Therefore, because the length of an IV determines the total number of potential random values that can possibly be created for encryption purposes, doubling to 48 bits increased overall security. By itself, this didn’t answer all security problems—it only meant it took a little longer to capture enough IV packets to crack the code. However, combined with other steps, it did provide for better security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Which of the following are true statements? (Choose all that apply.)
    A. WEP uses shared-key encryption with TKIP.
    B. WEP uses shared-key encryption with RC4.
    C. WPA2 uses shared-key encryption with RC4.
    D. WPA uses TKIP and AES encryption.
A

B, D. WEP uses a 24-bit initialization vector and RC4 to “encrypt” data transmissions, although saying that makes me shake in disgust because it’s really a misnomer. WEP was designed as basic encryption merely to simulate the “security” of being on a wired network—hence, the “Equivalent” part in Wired Equivalent Privacy. It was never intended as true encryption protection. WPA was an improvement on two fronts. First, the shared key portion of encryption was greatly enhanced by the use of Temporal Key Integrity Protocol (TKIP). In short, the key used to encrypt data was made temporary in nature and is swapped out every 10,000 packets or so. Additionally, WPA2 uses NIST-approved encryption with AES as the algorithm of choice.

A is incorrect because WEP does not use TKIP. In addition to the same key being used to encrypt and decrypt (shared key), it’s not changed and remains throughout the communication process—which is part of the reason why WEP is so easy to crack.
C is incorrect because WPA2 does not use RC4 as an encryption algorithm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Which of the following would you recommend as a means to deny network access by unauthorized wireless devices to network assets?
    A. Wireless access control list
    B. Wireless jammer
    C. Wireless analyzer
    D. Wireless access point
A

A. Of the choices provided, the access control list is the only one that makes sense. This is what exactly what an access control list is designed for: by making sure only devices that are authorized can connect, you ensure unauthorized devices cannot connect (or at least take steps to avoid their connection). As a side note here, be careful not to confuse a wireless intrusion prevention system (WIPS) with the ACL. A WIPS will monitor your traffic and, just like the better-known network intrusion prevention system, will take steps to prevent intrusion based on traffic analysis, thresholds, and alerts. Lastly, on questions like this, the process of elimination can help you discern the answer pretty easily.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. While on vacation, Joe receives a phone call from his identity alert service notifying him that two of his accounts have been accessed in the past hour. Earlier in the day, he did connect a laptop to a wireless hotspot at McDonald’s and accessed the two accounts in question. Which of the following is the most likely attack used against Joe?
    A. Unauthorized association
    B. Honeyspot access point
    C. Rogue access point
    D. Jamming signal
A

B. Sometimes EC-Council creates and uses redundant terminology, so don’t blame me for this insanely annoying jewel. In this case, Joe most likely connected to what he thought was the legitimate McDonald’s free Wi-Fi while he was getting his morning coffee and checked the accounts in question. However, an attacker in (or close to) the restaurant had set up another wireless network using the same SSID as the restaurant’s. This practice is known as the honeyspot attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. An attacker is attempting to crack a WEP code to gain access to the network. After enabling monitor mode on wlan0 and creating a monitoring interface (mon 0), she types this command:
    aireplay –ng -0 0 –a 0A:00:2B:40:70:80 –c mon0
    What is she trying to accomplish?

A. To gain access to the WEP access code by examining the response to deauthentication packets, which contain the WEP code
B. To use deauthentication packets to generate lots of network traffic
C. To determine the BSSID of the access point
D. To discover the cloaked SSID of the network

A

B. Within 802.11 standards, there are several different management-type frames in use: everything from a beacon and association request to a probe request. One of these management frames is a deauthentication packet, which basically shuts off a client from the network. The client then has to reconnect—and will do so quickly. The idea behind this kind of activity is to generate lots of traffic to capture in order to discern the WEP access code (from clients trying to reassociate to all the new ARP packets that will come flying around, since many machines will dump their ARP cache after being shut off the network). Remember that the initialization vectors within WEP are relatively short (24 bits) and are reused frequently, so any attempt to crack the code requires, in general, around 15,000 or so packets. You can certainly gather these over time, but generating traffic can accomplish it much faster. One final note on this must be brought up: this type of attack can just as easily result in a denial-of-service attack against hosts and the AP in question, so be careful.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. Which wireless standard works at 54Mbps on a frequency range of 2.4GHz?

A. 802.11a
B. 802.11b
C. 802.11g
D. 802.11n

A

C. The 802.11 series of standards identifies a variety of wireless issues, such as the order imposed on how clients communicate, rules for authentication, data transfer, size of packets, how the messages are encoded into the signal, and so on. 802.11g combines the advantages of both the “a” and “b” standards without as many of the drawbacks. It’s fast (at 54Mbps), is backward compatible with 802.11b clients, and doesn’t suffer from the coverage area restrictions 802.11a has to contend with. Considering it operates in the 2.4GHz range, however, there may be some interference issues to deal with. Not only is a plethora of competing networks blasting their signals (sometimes on the same channel) near and around your network, but you also have to consider Bluetooth devices, cordless phones, and even baby monitors that may cause disruption (due to interference) of wireless signals. Also, microwave ovens happen to run at 2.45GHz—right smack dab in the middle of the range.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. The team has discovered an access point configured with WEP encryption. What is needed to perform a fake authentication to the AP in an effort to crack WEP? (Choose all that apply.)
    A. A captured authentication packet
    B. The IP address of the AP
    C. The MAC address of the AP
    D. The SSID
A

C, D. Cracking WEP generally comes down to capturing a whole bunch of packets and running a little math magic to crack the key. If you want to generate traffic by sending fake authentication packets to the AP, you need the AP’s MAC address and the SSID to make the attempt.

A and B are incorrect because this information is not needed for a fake authentication packet. Sure, you can capture and replay an entire authentication packet, but it won’t do much good, and the IP is not needed at all.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Which of the tools listed here is a passive discovery tool?
    A. Aircrack
    B. Kismet
    C. NetStumbler
    D. Netsniff
A

B. A question like this one can be a little tricky, depending on its wording; however, per the EC-Council, Kismet works as a true passive network discovery tool, with no packet interjection whatsoever. The following is from www.kismetwireless.net: “Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also supports plugins which allow sniffing other media.” You might also see two other interesting notables about Kismet on your exam: First, it works by channel hopping, attempting to discover as many networks as possible. Second, it has the ability to sniff packets and save them to a log file, readable by Wireshark or tcpdump.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. You have discovered an access point using WEP for encryption purposes. Which of the following is the best choice for uncovering the network key?
    A. NetStumbler
    B. Aircrack
    C. John the Ripper
    D. Kismet
A

B. Aircrack is a fast tool for cracking WEP (assuming you’ve collected at least 50,000 packets or so, it’ll work swimmingly fast). You’ll need to gather a lot of packets using another toolset, but once you have them together, Aircrack does a wonderful job cracking the key. One method Aircrack uses that you may see referenced on the exam is KoreK implementation, which basically involves slicing bits out of packets and replacing them with guesses—the more this is done, the better the guessing and, eventually, the faster the key is recovered. Other tools for cracking WEP include Cain (which can also use KoreK), KisMac, WEPCrack, and Elcomsoft’s Wireless Security Auditor tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Which of the following statements are true regarding TKIP? (Choose all that apply.)
    A. Temporal Key Integrity Protocol forces a key change every 10,000 packets.
    B. Temporal Key Integrity Protocol ensures keys do not change during a session.
    C. Temporal Key Integrity Protocol is an integral part of WEP.
    D. Temporal Key Integrity Protocol is an integral part of WPA.
A

A, D. TKIP is a significant step forward in wireless security. Instead of sticking with one key throughout a session with a client and reusing it, as occurred in WEP, Temporal Key Integrity Protocol changes the key out every 10,000 packets or so. Additionally, the keys are transferred back and forth during an Extensible Authentication Protocol (EAP) authentication session, which makes use of a four-step handshake process in proving the client belongs to the AP, and vice versa. TKIP came about in WPA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Regarding SSIDs, which of the following are true statements? (Choose all that apply.)
    A. SSIDs are always 32 characters in length.
    B. SSIDs can be up to 32 characters in length.
    C. Turning off broadcasting prevents discovery of the SSID.
    D. SSIDs are part of every packet header from the AP.
A

B, D. Service set identifiers have only one real function in life, so far as you’re concerned on this exam: identification. They are not a security feature in any way, shape, or form, and they are designed solely to identify one access point’s network from another’s—which is part of the reason they’re carried in all packets. SSIDs can be up to 32 characters in length but don’t have to be that long (in fact, you’ll probably discover most of them are not).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. You are discussing WEP cracking with a junior pen test team member. Which of the following are true statements regarding the initialization vectors? (Choose all that apply.)
    A. IVs are 32 bits in length.
    B. IVs are 24 bits in length.
    C. IVs get reused frequently.
    D. IVs are sent in clear text.
    E. IVs are encrypted during transmission.
    F. IVs are used once per encryption session.
A

B, C, D. Weak initialization vectors and poor encryption are part of the reason WEP implementation is not encouraged as a true security measure on wireless networks. And, let’s be fair here, it was never truly designed to be, which is why it’s named Wired Equivalent Privacy instead of Wireless Encryption Protocol (as some have erroneously tried to name it). IVs are 24 bits in length, are sent in clear text, and are reused a lot. Capture enough packets, and you can easily crack the code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. A pen test member has configured a wireless access point with the same SSID as the target organization’s SSID and has set it up inside a closet in the building. After some time, clients begin connecting to his access point. Which of the following statements are true regarding this attack? (Choose all that apply.)
    A. The rogue access point may be discovered by security personnel using NetStumbler.
    B. The rogue access point may be discovered by security personnel using NetSurveyor.
    C. The rogue access point may be discovered by security personnel using Kismet.
    D. The rogue access point may be discovered by security personnel using Aircrack.
    E. The rogue access point may be discovered by security personnel using ToneLoc.
A

A, B, C. Rogue access points (sometimes called evil twin attacks) can provide an easy way to gain useful information from clueless users on a target network. However, be forewarned: security personnel can use multiple tools and techniques to discover rogue APs. NetStumbler is one of the more popular, and useful, tools available. It’s a great network discovery tool that can also be used to identify rogue access points, network interference, and signal strength. Kismet, another popular tool, provides many of the same features and is noted as a “passive” network discovery tool. NetSurveyor is a free, easy-to-use Windows-based tool that provides many of the same features as NetStumbler and Kismet and works with virtually every wireless NIC in modern existence. A “professional” version of NetSurveyor is now available (you get ten uses of it before you’re required to buy a license). Lastly, identifying a rogue access point requires the security staff to have knowledge of every access point owned—and its MAC. If it’s known there are ten APs in the network and suddenly an 11th appears, that alone won’t help find and disable the bad one. It takes some level of organization to find these things, and that plays into your hands as an ethical hacker. The longer your evil twin is left sitting there, the better chance it will be found, so keep it short and sweet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. A pen test member is running the Airsnarf tool from a Linux laptop. What is she attempting?
    A. MAC flooding against an AP on the network
    B. Denial-of-service attacks against APs on the network
    C. Cracking network encryption codes from the WEP AP
    D. Stealing usernames and passwords from an AP
A

D. Identifying tools and what they do is a big part of the exam—which is easy enough because it’s pure memorization, and this is a prime example. Per the tool’s website (http://airsnarf.shmoo.com/), “Airsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public wireless hotspots. Airsnarf was developed and released to demonstrate an inherent vulnerability of public 802.11b hotspots—snarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing AP.” It basically turns your laptop into a competing AP in the local area and confuses client requests into being sent your way.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. What is the integrity check mechanism for WPA2?
    A. CBC-MAC
    B. CCMP
    C. RC4
    D. TKIP
A

A. If you’ve not done your reading and study, this one could be quite tricky. WPA2 uses CCMP as its encryption protocol, and CCMP uses CBC-MAC for authentication and integrity. Counter Mode CBC-MAC Protocol is an encryption protocol specifically designed for 802.11i wireless networking. CCMP uses CBC-MAC for authentication and integrity. As for how it exactly provides for integrity, the true technobabble answer is very long and confusing, but the short of it is this: the message is encrypted with a block cipher, and the encryption of each block in the chain is dependent on the encryption value of the block in front of it. In other words, if block 2 is altered in any way, then decryption of blocks 3, 4, and so on, becomes impossible. One final note on CCMP for your study and memorization: CCMP is based on AES processing and uses a 128-bit key and a 128-bit block size, and ECC sometimes refers to it as AES-CCMP.

17
Q
  1. Which of the following is a true statement regarding wireless security?
    A. WPA2 is a better encryption choice than WEP.
    B. WEP is a better encryption choice than WPA2.
    C. By cloaking the SSID and implementing MAC filtering, you can eliminate the need for encryption.
    D. Increasing the length of the SSID to its maximum increases security for the system.
A

A. WPA2 is, by far, a better security choice for your system. It makes use of TKIP, changing out the keys every 10,000 packets instead of using one for the entire session (as in WEP). Additionally, WPA2 uses AES for encryption and a 128-bit encryption key, as opposed to RC4 and 24-bit IVs in WEP.

18
Q
  1. A pen test colleague is attempting to use a wireless connection inside the target’s building. On his Linux laptop he types the following commands:
    ifconfig wlan0 down
    ifconfig wlan0 hw ether 0A:0B:0C:1A:1B:1C
    ifconfig wlan0 up
    What is the most likely reason for this action?
    A. Port security is enabled on the access point.
    B. The SSID is cloaked from the access point.
    C. MAC filtering is enabled on the access point.
    D. Weak signaling is frustrating connectivity to the access point.
A

C. The sequence of the preceding commands has the attacker bringing the wireless interface down, changing its hardware address, and then bringing it back up. The most likely reason for this is MAC filtering is enabled on the AP, which is restricting access to only those machines the administrator wants connecting to the wireless network. The easy way around this is to watch traffic and copy one of the MAC addresses. With a quick spoof on your own hardware, you’re connected. As an aside, MAC spoofing isn’t just for the wireless world. The command would be slightly different (wlan0 refers to a wireless NIC; eth0 would be an example of a wired port), but the idea is the same.

19
Q
  1. An attacker has successfully configured and set up a rogue wireless AP inside his target. As individuals connect to various areas, he performs a MITM attack and injects a malicious applet in some of the HTTP connections. This reroutes user requests for certain pages to pages controlled by the attacker. Which of the following tools is most likely used by the attacker to inject the HTML code?
    A. Aircrack-ng
    B. Kismet
    C. Ettercap
    D. Honeypot
A

C. Go ahead, get it out of your system. I know you’re sitting there screaming, “What does Ettercap and MITM have to do with wireless?” That’s precisely why this question is here. You’ll see this technique employed within the exam in multiple facets. See, by starting out highlighting the attacker’s use of the evil twin attack, you get lulled into thinking this is a wireless issue. In reality, the question has nothing to do with the wireless aspect; instead, the MITM portion is what really matters. So while you were ready to pounce on a wireless tool, and Aircrack-ng really jumped out at you, the MITM attack tool—Ettercap—was really where your attention should’ve been.

20
Q
  1. Which of the following is the best choice in searching for and locating rogue access points?
    A. WIPS
    B. Dipole antenna
    C. WACL
    D. HIDS
A

A. Of the choices provided, the wireless intrusion prevention system is the best choice. A WIPS is a network device that, among other things, monitors wireless traffic for the presence of unauthorized access points and then takes countermeasures against them.

21
Q
  1. Charity visits a client business she has worked with multiple times. When she opens her laptop, her wireless connection attempts to automatically connect to the network, named BUSINESS1. Unbeknownst to her, an attacker has set up a cloned network with the same details. As her connection begins, he sends and continues to resend the third step of connection handshake. After many iterations of this, the attacker gains enough decrypted details to crack the encryption key. Which of the following best describes this attack?
    A. Rogue AP
    B. AP MAC spoofing
    C. aLTEr
    D. KRACK
A

D. Of the choices provided, KRACK (Key Reinstallation Attack) comes the closest to fitting the bill. First, you should know that KRACK is largely defunct as an attack nowadays—most modern systems protect against it, and it won’t work. However, you’ll no doubt see a question about it, so let’s dive in.
KRACK works by exploiting the four-way handshake all WPA2 wireless networks take part in. During this exchange, the wireless systems blasts out something called an ANonce (a one-time, randomly generated number, more or less). The client receives it, runs some calculation of its own, and responds with another randomly generated SNonce. If everything looks okay, the wireless system sends the GTK (Group Temporal Key), which is the encryption key the WPA2 system uses for broadcast and multicast messages. If everything looks right the client connects, you’re off and running.
In a KRACK attack, the cloned system run by the bad guy keeps resending the third part of the handshake to the client. Each time the client accepts the connection request, a small piece of data is decrypted and, over several iterations, the encryption key is cracked.
One last thing—KRACK needs proximity to work. In other words, assuming we go back in time before OS patches were created to prevent the attack, you’d have to be close to your target to set things up. There’s only so much reach a wireless system has, and you’d have to be inside that range to even attempt KRACK.