Hacking Wireless Networks

Question 1

Which of the following technologies is an air interface for 4G and 5G broadband wireless communications?

MIMO-OFDM
FHSS
OFDM
DSSS

Answer 1

MIMO-OFDM - Multiple-in Multiple-out orthogonal frequency-division multiplexing.

Question 2

Which of the following wireless standards uses modulation schemes such as GFSK, π/4-DPSK, and 8DPSK and a frequency of 2.4 GHz with data transfer rates in the range of 25–50 Mbps?

802. 16 (WiMAX)
803. 11a
804. 11g
805. 15.1 (Bluetooth)

Answer 2

802.15.1 (bluetooth)

Question 3

Which modulations do 802.11a and 802.11g use?

Answer 3

OFDM - orthogonal frequency-division multiplexing

Question 4

In which of the following is the original data signal multiplied with a pseudo random noise spreading code?

Orthogonal Frequency-division Multiplexing (OFDM)
Frequency-hopping Spread Spectrum (FHSS)
Direct-sequence Spread Spectrum (DSSS)
Multiple input, multiple output-orthogonal frequency-division multiplexing (MIMO-OFDM)

Answer 4

Direct-sequence Spread Spectrum (DSSS)

Question 5

Which of the following is a standard for Wireless Local Area Networks (WLANs) that provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards?

802. 11e
803. 11i
804. 11d
805. 11n

Answer 5

802.11i

Question 6

What is 802.11e used for?

Answer 6

802.11e is used for real-time applications such as voice, VoIP, and video. To ensure that these time-sensitive applications have the network resources they need, 802.11e defines mechanisms to ensure Quality of Service (QoS) to Layer 2 of the reference model, the medium-access layer, or MAC.

Question 7

What is WiMAX?

Answer 7

WiMAX (Worldwide Interoperability for Microwave Access), is a family of wireless broadband communication standards based on the IEEE 802.16 set of standards, which provide multiple physical layer (PHY) and Media Access Control (MAC) options

Question 8

Which of the following Wi-Fi security protocols uses GCMP-256 for encryption and HMAC-SHA-384 for authentication?

PEAP
WPA3
WEP
CCMP

Answer 8

WPA3

Question 9

How can WPA2 be attacked?

Answer 9

WPA2 has a significant vulnerability to an exploit known as key reinstallation attack (KRACK). This exploit may allow attackers to sniff packets, hijack connections, inject malware, and decrypt packets

Question 10

How can WPA be attacked?

Answer 10

In WPA, vulnerabilities in TKIP allow attackers to guess the IP address of the subnet

Question 11

How can WEP be attacked?

Answer 11

In WEP, the IV (initialization vector) is a part of the RC4 encryption key, which leads to an analytical attack

Question 12

How can EAP be attacked?

Answer 12

Vulnerabilities of EAP-TTLS/PAP make it vulnerable to Man-in-the-Middle attack.

Question 13

WPA2 uses AES for wireless data encryption at which of the following encryption levels?

64 bit and CCMP
128 bit and CRC
128 bit and CCMP
128 bit and TKIP

Answer 13

128-bit key length and CCMP encryption

Question 14

Which of the following cryptographic algorithms is used by CCMP?

TKIP
DES
AES
RC4

Answer 14

AES

Question 15

Which of the following Encryption technique is used in WPA?

RSA
AES
TKIP
DES

Answer 15

TKIP

Question 16

Which of the following protocol encapsulates the EAP within an encrypted and authenticated Transport Layer Security (TLS) tunnel?

RADIUS
LEAP
PEAP
CCMP

Answer 16

PEAP

Question 17

What is LEAP?

Answer 17

LEAP is a proprietary version of EAP developed by Cisco.

Question 18

What is CCMP?

Answer 18

CCMP is an encryption protocol used in WPA2 for stronger encryption and authentication.

Question 19

Which of the following consists of 40/104 bit Encryption Key Length?

WEP
WPA
WPA2
RSA

Answer 19

WEP

Question 20

What is ad-hoc asssociation?

Answer 20

An attacker may perform this kind of attack using any Universal Serial Bus (USB) adapter or wireless card. The attacker connects the host to an unsecured client to attack a specific client or to avoid AP security.

Question 21

What is a promiscuous client?

Answer 21

Promiscuous clients allow an attacker to transmit target network traffic through a fake AP. It is very similar to the evil-twin threat on wireless networks, in which an attacker launches an AP that poses as an authorized AP by beaconing the WLAN’s SSID.

Question 22

What is client misassociation?

Answer 22

The client may intentionally or accidentally connect or associate with an AP outside the legitimate network because the WLAN signals travel through the air, walls, and other obstructions.

Question 23

What is a wormhole attack?

Answer 23

Wormhole attack exploits dynamic routing protocols, such as DSR (dynamic source routing) and AODV (Ad-hoc On-demand Distance Vector). An attacker locates himself strategically in the target network to sniff and record the ongoing wireless transmission

Question 24

What is a sinkhole attack?

Answer 24

In a sinkhole attack, an attacker places the malicious node near the base station to attract all the neighboring nodes with fake routing information and further performs data forging attacks

Question 25

What is a evil twin AP attack?

Answer 25

Normally, when a wireless client is switched on, it probes a nearby wireless network for a specific SSID. In a honeypot AP attack, an attacker takes advantage of this behavior of wireless clients by setting up an unauthorized wireless network using a rogue AP

Question 26

What are confidentiality attacks?

Answer 26

Confidentiality attacks attempt to intercept confidential information sent over wireless associations, regardless of whether they were sent in clear text or encrypted by Wi-Fi protocols.

Question 27

What are availability attacks?

Answer 27

Availability attacks aim at obstructing the delivery of wireless services to legitimate users, either by crippling those resources or by denying them access to WLAN resources

Question 28

What are authentication attacks?

Answer 28

The objective of authentication attacks is to steal the identity of Wi-Fi clients, their personal information, login credentials, etc. to gain unauthorized access to network resources

Question 29

What are integrity attacks?

Answer 29

In integrity attacks, attackers send forged control, management, or data frames over a wireless network to misdirect the wireless devices to perform another type of attacks (e.g., DoS)

Question 30

Kenneth, a professional penetration tester, was hired by the XYZ Company to conduct wireless network penetration testing. Kenneth proceeds with the standard steps of wireless penetration testing. He tries to collect lots of initialization vectors (IVs) using the injection method to crack the WEP key. He uses the aircrack-ng tool to capture the IVs from a specific AP. Which of the following aircrack-ng commands will help Kenneth to do this?

airmon-ng start wifi0 9
airodump-ng -c 9 –bssid 00:14:6C:7E:40:80 -w output ath0
aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 ath0

Answer 30

airodump-ng -c 9 –bssid 00:14:6C:7E:40:80 -w output ath0

Question 31

Andrew, a professional penetration tester, was hired by ABC Security, Inc., a small IT-based firm in the United States to conduct a test of the company’s wireless network. During the information-gathering process, Andrew discovers that the company is using the 802.11 g wireless standard. Using the NetSurveyor Wi-Fi network discovery tool, Andrew starts gathering information about wireless APs. After trying several times, he is not able to detect a single AP. What do you think is the reason behind this?

MAC address filtering feature must be disabled on APs or router.
Andrew must be doing something wrong, as there is no reason for him to not detect access points.
NetSurveyor does not work against 802.11g.
SSID broadcast feature must be disabled, so APs cannot be detected.

Answer 31

SSID broadcast feature must be disabled, so APs cannot be detected.

Question 32

What is WiFiFoFum?

Answer 32

WiFiFoFum is a wardriving app to locate, display and map found WiFi networks. WiFiFoFum scans for 802.11 Wi-Fi networks and displays information about each including: SSID, MAC, RSSI, channel, and security. WiFiFoFum also allows you to connect to networks you find and log the location using the GPS. KML logs can be emailed.

Question 33

What is Skyhook?

Answer 33

Skyhook is a GPS mapping tool

Question 34

What is MANA Toolkit?

Answer 34

MANA Toolkit comprises a set of tools that are used by the attackers for creating rogue APs and perform sniffing attacks and MITM attack

Question 35

Which of the following security standards contains the Dragonblood vulnerabilities that help attackers recover keys, downgrade security mechanisms, and launch various information-theft attacks?

WPA
WPA3
WEP
WPA2

Answer 35

WPA3 (Dragonblood is an attack on the Dragonfly handshake method of WPA3)

Question 36

Which tool would be used to collect wireless packet data?

NetStumbler
Netcat
Nessus
John the Ripper

Answer 36

NetStumbler

Question 37

During a wireless penetration test, a tester detects an AP using the WPA2 encryption. Which of the following attacks should be used to obtain the key?

The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard.
The tester must change the MAC address of the wireless network card and then use the AirTraf tool to obtain the key.
The tester must use the tool inSSIDer to crack it using the ESSID of the network.
The tester must capture the WPA2 authentication handshake and then crack it.

Answer 37

The tester must capture the WPA2 authentication handshake and then crack it.

Question 38

What is CommView for WiFi?

Answer 38

CommView for Wi-Fi is a wireless network monitor and analyzer for 802.11 a/b/g/n networks. It captures packets to display important information such as the list of APs and stations, per-node and per-channel statistics, signal strength, a list of packets and network connections, protocol distribution charts, etc. By providing this information, CommView for Wi-Fi can view and examine packets, pinpoint network problems, and troubleshoot software and hardware

Question 39

What is BlueScan?

Answer 39

BlueScan is a bash script that implements a scanner to detect Bluetooth devices that are within the range of our system. BlueScan works in a non-intrusive way, that is, without establishing a connection with the devices found and without being detected. Superuser privileges are not necessary to execute.

Question 40

What is WiFish Finder?

Answer 40

WiFish Finder is a tool for assessing whether WiFi devices active in the air are vulnerable to ‘Wi-Fishing’ attacks. Assessment is performed through a combination of passive traffic sniffing and active probing techniques. Most WiFi clients keep a memory of networks (SSIDs) they have connected to in the past. Wi-Fish Finder first builds a list of probed networks and then using a set of clever techniques also determines security setting of each probed network. A client is a fishing target if it is actively seeking to connect to an OPEN or a WEP network.

Question 41

In which of the following Bluetooth threats does an attacker trick Bluetooth users into lowering security or disabling authentication for Bluetooth connections to pair with them and steal information?

Bugging devices
Protocol exploitation
Social engineering
Malicious code

Answer 41

Social engineering

Question 42

Which of the following btlejack commands allows an attacker to sniff new Bluetooth low-energy connections?

btlejack -s
btlejack -d /dev/ttyACM0 -d /dev/ttyACM2 -s
btlejack -f 0x129f3244 -j
btlejack -c any

Answer 42

btlejack -c any

Question 43

How do you perform a jamming operation with btlejack?

Answer 43

btlejack -f 0x129f3244 -j

Question 44

How do you sniff an existing connection with btlejack?

Answer 44

btlejack -s

Question 45

How do you select target devices with btlejack?

Answer 45

btlejack -d /dev/ttyACM0 -d /dev/ttyACM2 -s

Question 46

Which of the following terms is used to describe an attack in which an attacker gains remote access to a target Bluetooth-enabled device without the victim being aware of it?

Bluesnarfing
Bluebugging
Bluesmacking
Bluejacking

Answer 46

Bluebugging

Question 47

What is bluesmacking?

Answer 47

A Bluesmacking attack occurs when an attacker sends an oversized ping packet to a victim’s device, causing a buffer overflow. This type of attack is similar to an ICMP ping of death

Question 48

What is bluesnarfing?

Answer 48

Bluesnarfing is a method of gaining access to sensitive data in a Bluetooth-enabled device. An attacker who is within range of a target can use special software to obtain the data stored on the victim’s device.

Question 49

What is bluejacking?

Answer 49

Bluejacking is the use of Bluetooth to send messages to users without the recipient’s consent, similar to email spamming. Prior to any Bluetooth communication, the device initiating connection must provide a name that is displayed on the recipient’s screen. As this name is user-defined, it can be set to be an annoying message or advertisement. Strictly speaking, Bluejacking does not cause any damage to the receiving device. However, it may be irritating and disruptive to the victims

Question 50

What is blueprinting?

Answer 50

BluePrinting is a footprinting technique performed by an attacker in order to determine the make and model of the target Bluetooth-enabled device. Attackers collect this information to identify model, manufacturer, etc. and analyze them in an attempt to find out whether the devices are in the range of vulnerability to exploit

Question 51

Which of the following protocols is used by BlueJacking to send anonymous messages to other Bluetooth-equipped devices?

L2CAP
SDP
OBEX
LMP

Answer 51

OBEX (object exchange).

Question 52

What are Wired Side Inputs?

Answer 52

Network management software uses this technique to detect rogue APs. This software detects devices connected in the LAN, including Telnet, SNMP, CDP (Cisco discovery protocol) using multiple protocols

Question 53

Which of the following is a wireless security layer where per frame/packet authentication provides protection against MITM attacks and prevents an attacker from sniffing data when two genuine users communicate with each other?

Device security
Connection security
End-user protection
Wireless signal security

Answer 53

Connection security

Question 54

Which of the following components of Cisco’s WIPS deployment forwards attack information from wireless IPS monitor-mode APs to the MSE and distributes configuration parameters to APs?

Wireless control system
Wireless LAN controller
Local mode AP
Mobility services engine

Answer 54

Wireless LAN controller