Hacking Wireless Networks

Question 1

A 32 bit identification string of the Access Point

Answer 1

Service Set Identifier (SSID)

Question 2

SSID inserted into the ? of every ? packet

Answer 2

Header, data

Question 3

MAC address of the Access Point

Answer 3

Basic Service Set Identifier (BSSID)

Question 4

A frequency band dedicated to the Industrial, Scientific and Medical purpose

Answer 4

ISM Band

Question 5

What does GSM stand for?

Answer 5

Global System for Mobile Communication

Question 6

Name the generations of GSM

Answer 6

Generations: 2G (GSM), 3G (UMTS), 4G (LTE), 5G

Question 7

Wi-Fi Wi-Fi is a local area networking technology based on what standard?

Answer 7

IEEE 802.11

Question 8

Name the types of Wi-Fi authentication

Answer 8

Open authentication & Shared Key authentication

Question 9

What is the purpose of the probe request?

Answer 9

The Probe Request is to discover the network

Question 10

What does the probe response contain?

Answer 10

The Probe Response contains the parameters (SSID, data rate, encryption, …)

Question 11

Name the request types associated with Wi-Fi Open System authentication

Answer 11

1 - Probe Request
2 - Open System Authentication Request
3 - Association Request

Question 12

Name the 3 types of Wireless authentication

Answer 12

1 - Open Authentication - no auth
2 - Shared key - auth via shared key(password)
3 - Centralized - central auth ex. RADIUS

Question 13

Name the 4 stages of Wi-Fi shared key authentication

Answer 13

Authentication Request
Authentication Response with Challenge Text
Encrypted Challenge Response
Successful / Unsuccessful response

Question 14

Describe the shared key process and weakness

Answer 14

The client sends Authentication Request

The client encrypt the challenge test with his shared key

The AP decrypt the encrypted challenge test with his shared key, if the decrypted text matches, the successful authentication response frame is sent to the client

This challenge test can be captured by a hacker as a clear text, so the hacker can get the shared key

Question 15

What does RC4 stand for?

Answer 15

RC4 - Rivest Cipher 4 Stream Cipher Algorithm

Question 16

What does DSSS stand for?

Answer 16

Direct-Sequence Spread Spectrum (DSSS)

Question 17

What kind of standard is IEEE 802.1X?

Answer 17

IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC)

Question 18

Does IEEE 802.1X provide for authentication?

Answer 18

Yes, It provides an authentication and access controls across wired and wireless networks

Question 19

What is Direct-Sequence Spread Spectrum (DSSS)?

Answer 19

Combines all available waveforms into a single purpose

Question 20

What does EAP stand for?

Answer 20

Extensible Authentication Protocol

Question 21

What kind of framework is EAP?

Answer 21

an authentication framework frequently used in wireless networks and point-to-point connections

Question 22

SSID and BSSID stand for what?

Answer 22

Service Set Identifier, Base Service Set Identifier

Question 23

Name two types of Wireless Antennas

Answer 23

Directional & Omnidirectional

Question 24

Name 3 types of Directional Antennas

Answer 24

Parabolic, Yagi-Uda, & Horn

Question 25

What does FHSS mean?

Answer 25

Frequency-hopping spread spectrum (FHSS)

Question 26

Name 3 types of Omnidirectional antennas

Answer 26

Whip, Rubber Ducky, & Monopole

Question 27

Name 3 use cases for Omnidirectional antennas

Answer 27

radio broadcasting, cell phones, & GPS

Question 28

What does WEP stand for?

Answer 28

Wired Equivalent Privacy (WEP)

Question 29

Name the first wireless encryption standard

Answer 29

Wired Equivalent Privacy (WEP)

Question 30

What type of attack was WEP designed to prevent?

Answer 30

Man-in-the-Middle attack

Question 31

Describe Frequency-hopping spread spectrum (FHSS)

Answer 31

A method of transmitting radio signals by rapidly changing the carrier frequency among many distinct frequencies occupying a large spectral band.

Question 32

What OSI layers is WEP used in?

Answer 32

Physical layer and Data Link layer

Question 33

What does IV in WEP stand for?

Answer 33

Initialization Vector (IV)

Question 34

How many bits long is the IV in WEP?

Answer 34

24-bits

Question 35

How long is the WEP shared-secret key?

Answer 35

40-bits

Question 36

How long is the WEP key after combining the IV and shared-secret key?

Answer 36

64 bits = 24 bit (IV) and 40 bits (shared-secret key)

Question 37

What encryption algorithm does WEP use?

Answer 37

RCA RC4 PRNG algorithm

Question 38

What does WPA stand for?

Answer 38

Wi-Fi Protected Access

Question 39

How does TKIP make WPA better than WEP?

Answer 39

Temporal Key Integrity Protocol (TKIP) implements a key mixing function that combines the secret key with the initialization vector before passing it to the RC4 cipher. WEP, in comparison, merely concatenated the initialization vector to the root key, and passed this value to the RC4 routine.

Question 40

WPA’s TKIP increased WEP’s 64 bit key to what bit-length?

Answer 40

128-bit

Question 41

WPA’s sequence counter mechanism prevents against what type of attack?

Answer 41

Replay attack

Question 42

How long in bits is WPAs IV?

Answer 42

WPA IV is 48-bit long

Question 43

What does CCMP in WPA2 stand for?

Answer 43

Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP)

Question 44

WPA2 uses what symmetric algorithm?

Answer 44

AES

Question 45

What are the two types of WPA versions?

Answer 45

WPA-Personal & WPA-Enterprise

Question 46

WPA-Personal uses what cipher for authentication?

Answer 46

TKIP + PSK (password) = 64/128 bit RC4 MIC

Question 47

WPA-Enterprise uses what cipher for authentication?

Answer 47

TKIP + RADIUS = 64/128 bit RC4 MIC

Question 48

Name two Wireless attacks on access control

Answer 48

MAC spoofing & Rogue Access point

Question 49

Name two Wireless attacks on data integrity

Answer 49

Data frame injection & replay attacks

Question 50

Name two Wireless attacks on confidentiality

Answer 50

traffic analysis, session hijacking, MITM

Question 51

WPA2 replaced WPAs TKIP with what?

Answer 51

CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) replaced TKIP

Question 52

Name two Wireless attacks on availability

Answer 52

flooding, ARP poisoning, De-Authentication attacks

Question 53

WPA2-Personal uses what for authentication?

Answer 53

CCMP + PSK (Pre Shared Key)
128 bit AES MIC Encryption

Question 54

WPA2-Enterprise uses what for authentication?

Answer 54

CCMP + RADIUS
128 bit AES MIC Encryption

Question 55

What does WPA2’s CCMP provide?

Answer 55

CCMP provides Data confidentiality (AES), authentication, and access control

Question 56

Name two Wireless attacks on Authentication

Answer 56

password cracking, identity theft, password guessing

Question 57

What is BlueSmacking?

Answer 57

An attack that uses the L2CAP protocol to transfer an oversized ECHO packet to the Bluetooth enabled devices resulting in Denial Of Service.

Question 58

What is BlueBugging?

Answer 58

exploiting bugs in Bluetooth devices to gain remote access

Question 59

What is BlueJacking?

Answer 59

send unsolicited data to Bluetooth devices

Question 60

What is BluePrinting?

Answer 60

extract information about the device

Question 61

What is BlueSnarfing?

Answer 61

steal data from target device

Question 62

What does WPA use for encryption?

Answer 62

RC4 with TKIP (Temporal Key Integrity Protocol

Initialization Vector (IV) is larger and an encrypted hash

Question 63

Name 5 WiFi countermeasures

Answer 63

Check paired devices
Turn off visibility / turn off Bluetooth if not used
Use strong PIN
Use encryption
Don’t accept unknown requests

Question 64

Bluetooth Class 1 is what power and range?

Answer 64

100mW (20 dBm) & 100 m

Question 65

Bluetooth Class 2 is what power and range?

Answer 65

2.5 mW (4 dBm) & 10 meters

Question 66

Bluetooth Class 3 is what power and range?

Answer 66

1 mW (0 dBm) & 1 meter

Question 67

What is the size of the IV and key length in WEP?

Answer 67

24 bits & 40/140 bits

Question 68

What is the size of the IV and key length in WPA and WPA2?

Answer 68

48-bits & 128 bits

Question 69

What is the size of the IV and key length in WPA3?

Answer 69

48-bits & 128/256 bits

Question 70

Name 5 Wi-Fi security auditing tools

Question 71

What is the purpose of confidentiality attacks?

Answer 71

The role of attacks targeting the confidentiality of the information, is simply to break the encryption model

Question 72

Which encryption is better, TKIP or CCMP? Why?

Answer 72

CCMP because it uses AES versus TKIP which uses weaker RC4

Question 73

What is the goal of integrity attacks?

Answer 73

To tamper with the data

Question 74

What are the 2 countermeasures against integrity attacks?

Answer 74

encryption (so that attacker would not be able to read the message at all) and Message Integrity Codes (MICs) that are basically hashing function like MD5 or SHA1 that take a footprint of the whole message and create a hash of 128 bits (MD5) or 160 bits (SHA1)

Question 75

What is the purpose of access control attacks?

Answer 75

The concept of access control is all about controlling, who and what devices have access to the network, and who does not. It prevents malicious 3rd parties (unauthorized) from associating to the wireless network

Question 76

What 4 enhancements does TKIP provide over WEP?

Answer 76

It uses temporal, dynamically created keys instead of static ones used by WEP.

It uses sequencing to defend against replay and injection attacks.

It uses an advanced key mixing algorithm in order to defeat IV collisions and weak-key attacks in WEP.

It introduces Enhanced Data Integrity (EDI) to defeat bit-flipping attack possible in WEP.

Question 77

What is an attack that aims to penetrate a network by evading WLAN access control measures such as AP MAC filters and Wi-Fi port access controls?

Answer 77

Access control attack

Question 78

What is an attack where an attacker sends forged control, management, or data frames over a wireless network to misdirect the wireless devices to perform another type of attack?

Answer 78

Integrity attack

Question 79

What is an attack that attempts to intercept confidential information sent over wireless associations, regardless of whether they were sent in clear text or encrypted by Wi-Fi protocols?

Answer 79

Confidentiality attack

Question 80

What is an attack that aims at obstructing the delivery of wireless services to legitimate users, either by crippling those resources or by denying them access to WLAN resources?

Answer 80

Availability attack

Question 81

What is an attack that attempts to steal the identify of Wi-Fi clients to gain unauthorized access to the network?

Answer 81

Authentication attack

Question 82

What are the 6 phases of the wireless hacking methodology?

Answer 82

1. Wi-Fi discovery
2. GPS mapping
3. Wireless traffic analysis
4. Launch of wireless attacks
5. Wi-Fi encryption cracking
6. Compromise the Wi-Fi network

Question 83

What tool does the material recommend for detecting WPS-enabled APs?

Answer 83

Wash

Question 84

What 3 Wi-Fi discovery tools does the material recommend?

Answer 84

1. inSSIDer Plus
2. NetSurveyor
3. Wi-Fi Scanner

Question 85

What mobile Wi-Fi discovery tool does the material recommend?

Answer 85

WiFi Analyzer

Question 86

What 2 GPS mapping tools does the material recommend?

Answer 86

1. WiGLE
2. Maptitude Mapping Software

Question 87

What Wi-Fi hotspot finder tool does the material recommend?

Answer 87

Wi-Fi Finder

Question 88

What war driving tool does the material recommend?

Answer 88

WiGLE

Question 89

What must be enabled on your Wi-Fi card to sniff wireless traffic?

Answer 89

Monitor mode

Question 90

What tool does the material recommend for performing spectrum analysis?

Answer 90

RF Explorer

Question 91

What is an attack that can obtain 1500 bytes of the pseudo random generation algorithm, which can be used with packetforge-ng to perform various injection attacks?

Answer 91

Wireless fragmentation attack

Question 92

Name the following attack.

1. A client is authenticated and associated with an AP
2. An attacker sends a disassociate request packet to take the client offline

Answer 92

Disassociation denial of service attack

Question 93

Name the following attack.

1. A client is authenticated and associated with an AP
2. An attacker sends a de-authenticate request packet to take a single client offline

Answer 93

De-authentication denial-of-service attack

Question 94

What are the 4 steps of launching a MITM attack using aircrack-ng?

Answer 94

1. Run airmon-ng in monitor mode
2. Start airodump to discover SSIDs on interface
3. De-authenticate the client using aireplay-ng
4. Associate your wireless card with the AP you are accessing with aireplay-ng

Question 95

What tool can be used for wireless ARP poisoning?

Answer 95

Ettercap

Question 96

Provide 3 benefits of DSSS

Answer 96

more bandwidth
data encoding
low power density
noise like signals
hard to detect and jam

Question 97

What is DSSS?

Answer 97

Direct Sequence Spread Spectrum

Question 98

What are two ways for an endpoint to discover a WiFi network?

Answer 98

Either by passively waiting and listening for announcements (beacon frames) from access points or by sending prove requests which actively ask every WiFi device around if they are a network

Question 99

A type of denial-of-service(availability) attack that disconnect devices from a network. The motive is either capturing reconnection handshakes or diminishing the network’s quality of service

Answer 99

Deauthentication attack

Question 100

Sequencing helps defend against what kind of attacks?

Answer 100

replay and injection attacks.