Module 7 Questions Flashcards
A WPA2 wireless network is discovered during a pen test. Which of the following methods is the best way to crack the network key?
A. Capture the WPA2 authentication traffic and crack the key.
B. Capture a large amount of initialization vectors and crack the key inside.
C. Use a sniffer to capture the SSID.
D. WPA2 cannot be cracked.
A. WPA2 is a strong encryption method, but almost everything can be hacked given time. Capturing the password pairwise master key (PMK) during the handshake is the only way to do it, and even then it’s virtually impossible if it’s a complicated password.
You are discussing wireless security with your client. He tells you he feels safe with his network because he has turned off SSID broadcasting. Which of the following is a true statement regarding his attempt at security?
A. Unauthorized users will not be able to associate because they must know the SSID in order to connect.
B. Unauthorized users will not be able to connect because DHCP is tied to SSID broadcast.
C. Unauthorized users will still be able to connect because nonbroadcast SSID puts the AP in ad hoc mode.
D. Unauthorized users will still be able to connect because the SSID is still sent in all packets, and a sniffer can easily discern the string
D. Turning off the broadcast of an SSID is a good step, but SSIDs do nothing in regard to security. The SSID is included in every packet, regardless of whether it’s broadcast from the AP.
You are discussing wireless security with your client. He tells you he feels safe with his network as he has implemented MAC filtering on all access points, allowing only MAC addresses from clients he personally configures in each list. You explain this step will not prevent a determined attacker from connecting to his network. Which of the following explains why the APs are still vulnerable?
A. WEP keys are easier to crack when MAC filtering is in place.
B. MAC addresses are dynamic and can be sent via DHCP.
C. An attacker could sniff an existing MAC address and spoof it.
D. An attacker could send a MAC flood, effectively turning the AP into a hub.
C. MAC filtering is easily hacked by sniffing the network for a valid MAC and then spoofing it, using any number of options available.
What information is required in order to attempt to crack a WEP AP? (Choose two.)
A. Network SSID
B. MAC address of the AP
C. IP address of the AP
D. Starting sequence number in the first initialization vector
A, B. The MAC address of the AP and the SSID are required for attempting a WEP crack.
Which of the following protects against man-in-the-middle attacks in WPA? A. MIC B. CCMP C. EAP D. AES
A. MIC provides integrity checking in WPA, verifying frames are authentic and have not been tampered with. Part of how it accomplishes this is a sequence number—if any arrive out of sequence, the whole session is dropped.
Which of the following is the best choice for performing a bluebugging attack? A. PhoneSnoop B. BBProxy C. btCrawler D. Blooover
D. Blooover is designed for bluebugging. BBProxy and PhoneSnoop are both Blackberry tools, and btCrawler is a discovery option.
Operations promotes the use of mobile devices in the enterprise. Security disagrees, noting multiple risks involved in adding mobile devices to the network. Which of the following provides some protections against the risks security is concerned about?
A. Implement WPA.
B. Add MAC filtering to all WAPs.
C. Implement MDM.
D. Ensure all WAPs are from a single vendor.
C. Mobile Device Management won’t mitigate all the risks associated with unending use of mobile devices on your network—but at least it’s something.
Which of the following provides for integrity in WPA2? A. AES B. CCMP C. TKIP D. RADIUS
B. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (say that three times fast) uses Message Integrity Codes (MICs) for integrity purposes.
Which of the following is a true statement?
A. Configuring a strong SSID is a vital step in securing your network.
B. An SSID should always be more than eight characters in length.
C. An SSID should never be a dictionary word or anything easily guessed.
D. SSIDs are important for identifying networks but do little to nothing for security.
D. An SSID is used for nothing more than identifying the network. It is not designed as a security measure.
Which wireless encryption technology makes use of temporal keys? A. WAP B. WPA C. WEP D. EAP
B. WPA uses temporal keys, making it a much stronger encryption choice than WEP.
Which wireless technology uses RC4 for encryption? A. WAP B. WPA C. WEP D. WPA2 E. All of the above
C. WEP uses RC4, which is part of the reason it’s so easily hacked and not considered a secure option.
You wish to gain administrative privileges over your Android device. Which of the following tools is the best option for rooting the device? A. Pangu B. SuperOneClick C. Cydia D. evasi0n7
B. SuperOneClick is designed for rooting Android. The others are jailbreaking iOS options.
Which of the following jailbreaking techniques will leave the phone in a jailbroken state even after a reboot? A. Tethered B. Untethered C. Semi-tethered D. Rooted
B. If untethered jailbreaking has been performed, the device is in a jailbroken state forever, with or without connection to another device.
A company hires you as part of their security team. They are implementing new policies and procedures regarding mobile devices in the network. Which of the following would not be a recommended practice?
A. Create a BYOD policy and ensure all employees are educated and aware of it.
B. Whitelist applications and ensure all employees are educated and aware of them.
C. Allow jailbroken and rooted devices on the network, as long as the employee has signed the policy.
D. Implement MDM.
C. Bring Your Own Device (BYOD) and Mobile Device Management (MDM) are becoming more and more of a headache for security administrators. BYOD is the idea that employees can bring their own smartphones, tablets, and mobile devices to the workplace and use them as part of the enterprise network. Mobile Device Management (often implemented with the use of a third-party product containing management features for mobile device vendors) is an effort to administrate and secure mobile device use within the organization.
Which of the following is a true statement?
A. Kismet can be installed on Windows, but not on Linux.
B. NetStumbler can be installed on Linux, but not on Windows.
C. Kismet cannot monitor traffic on 802.11n networks.
D. NetStumbler cannot monitor traffic on 802.11n networks.
D. Not only is this question overly confusing and very tool specific, it’s pretty much exactly the type of question you’ll see on your exam. Kismet and NetStumbler are both wireless monitoring tools with detection and sniffing capabilities. NetStumbler is Windows specific, whereas Kismet can be installed on virtually anything.
Which of the following tools would be used in a blackjacking attack?
A. Aircrack
B. BBCrack
C. BBProxy
D. Paros Proxy
C. This is another tool-specific question, but one that should be relatively easy. Blackjacking and BBProxy were exposed at DefCon several years ago, so this isn’t anything new in terms of an attack.
Which of the following use a 48-bit initialization vector? (Choose all that apply.)
A. WEP
B. WPA
C. WPA2
D. WEP2
B, C. One of the improvements from WEP to WPA involved extending the initialization vector (IV) to 48 bits from 24 bits. An initialization vector (IV) provides for confidentiality and integrity.
Which of the following are true statements? (Choose all that apply.)
A. WEP uses shared key encryption with TKIP.
B. WEP uses shared key encryption with RC4.
C. WPA2 uses shared key encryption with RC4.
D. WPA2 uses TKIP and AES encryption.
B, D. WEP uses a 24-bit initialization vector and RC4 to “encrypt” data transmissions, although saying that makes me shake in disgust because it’s really a misnomer.
Which of the following tools is a vulnerability scanner for Android devices?
A. X-ray
B. evasi0n7
C. Pangu
D. DroidSheep Guard
A. X-ray is an Android vulnerability scanner explicitly called out by EC-Council. It searches out unpatched vulnerabilities and automatically updates for new vulnerability signatures as they are discovered.
Which type of jailbreaking allows user-level access but does not allow iBoot-level access?
A. iBoot
B. Bootrom
C. Userland
D. iRoot
C
While on vacation, Joe receives a phone call from his identity alert service notifying him that two of his accounts have been accessed in the past hour. Earlier in the day, he did connect a laptop to a wireless hotspot at McDonald’s and accessed the two accounts in question. Which of the following is the most likely attack used against Joe?
A. Unauthorized association
B. Honeyspot access point
C. Rogue access point
D. Jamming signal
B. Sometimes EC-Council creates and uses redundant terminology, so don’t blame your happy little author or publication editors for this insanely annoying jewel. In this case, Joe most likely connected to what he thought was the legitimate McDonald’s free Wi-Fi while he was getting his morning coffee and checked the accounts in question.
An attacker is attempting to crack a WEP code to gain access to the network. After enabling monitor mode on wlan0 and creating a monitoring interface (mon 0), she types this command:
aireplay –ng -0 0 –a 0A:00:2B:40:70:80 –c mon0
What is she trying to accomplish?
A. To gain access to the WEP access code by examining the response to deauthentication packets, which contain the WEP code
B. To use deauthentication packets to generate lots of network traffic
C. To determine the BSSID of the access point
D. To discover the cloaked SSID of the network
B. Within 802.11 standards, there are several different management-type frames in use: everything from a beacon and association request to something called (and I’m not making this up) a probe request.
Which wireless standard is designed to work at 54 Mbps on a frequency range of 2.4 GHz?
A. 802.11a
B. 802.11b
C. 802.11g
D. 802.11n
C. The 802.11 series of standards identifies all sorts of wireless goodies, such as the order imposed on how clients communicate, rules for authentication, data transfer, size of packets, how the messages are encoded into the signal, and so on. 802.11g combines the advantages of both the “a” and “b” standards without as many of the drawbacks.
The team has discovered an access point configured with WEP encryption. What is needed to perform a fake authentication to the AP in an effort to crack WEP? (Choose all that apply.)
A. A replay of a captured authentication packet
B. The IP address of the AP
C. The MAC address of the AP
D. The SSID
C, D. Cracking WEP generally comes down to capturing a whole bunch of packets and running a little math magic to crack the key. If you want to generate traffic by sending fake authentication packets to the AP, you need the AP’s MAC address and the SSID to make the attempt.
Which of the tools listed here is a passive discovery tool?
A. Aircrack
B. Kismet
C. NetStumbler
D. Netsniff
B. A question like this one can be a little tricky, depending on its wording; however, per the EC-Council, Kismet works as a true passive network discovery tool, with no packet interjection whatsoever.
You have discovered an access point using WEP for encryption purposes. Which of the following is the best choice for uncovering the network key?
A. NetStumbler
B. Aircrack
C. John the Ripper
D. Kismet
B. Aircrack is a fast tool for cracking WEP. You’ll need to gather a lot of packets (assuming you’ve collected at least 50,000 packets or so, it’ll work swimmingly fast) using another toolset, but once you have them together, Aircrack does a wonderful job cracking the key.
Which of the following statements are true regarding TKIP? (Choose all that apply.)
A. Temporal Key Integrity Protocol forces a key change every 10,000 packets.
B. Temporal Key Integrity Protocol ensures keys do not change during a session.
C. Temporal Key Integrity Protocol is an integral part of WEP.
D. Temporal Key Integrity Protocol is an integral part of WPA.
A, D.
TKIP is a significant step forward in wireless security. Instead of sticking with one key throughout a session with a client and reusing it, as occurred in WEP, Temporal Key Integrity Protocol changes the key out every 10,000 packets or so.
Regarding SSIDs, which of the following are true statements? (Choose all that apply.)
A. SSIDs are always 32 characters in length.
B. SSIDs can be up to 32 characters in length.
C. Turning off broadcasting prevents discovery of the SSID.
D. SSIDs are part of every packet header from the AP.
E. SSIDs provide important security for the network.
F. Multiple SSIDs are needed to move between APs within an ESS.
B, D.
Service set identifiers have only one real function in life, so far as you’re concerned on this exam: identification. They are not a security feature in any way, shape, or form, and they are designed solely to identify one access point’s network from another’s—which is part of the reason they’re carried in all packets. SSIDs can be up to 32 characters in length but don’t have to be that long (in fact, you’ll probably discover most of them are not).
You are discussing WEP cracking with a junior pen test team member. Which of the following are true statements regarding the initialization vectors? (Choose all that apply.)
A. IVs are 32 bits in length.
B. IVs are 24 bits in length.
C. IVs get reused frequently.
D. IVs are sent in clear text.
E. IVs are encrypted during transmission.
F. IVs are used once per encryption session.
B, C, D. Weak initialization vectors and poor encryption are part of the reason WEP implementation is not encouraged as a true security measure on wireless networks.
A pen test member has configured a wireless access point with the same SSID as the target organization’s SSID and has set it up inside a closet in the building. After some time, clients begin connecting to his access point. Which of the following statements are true regarding this attack? (Choose all that apply.)
A. The rogue access point may be discovered by security personnel using NetStumbler.
B. The rogue access point may be discovered by security personnel using NetSurveyor.
C. The rogue access point may be discovered by security personnel using Kismet.
D. The rogue access point may be discovered by security personnel using Aircrack.
E. The rogue access point may be discovered by security personnel using ToneLoc.
A, B, C. Rogue access points (sometimes called evil twin attacks) can provide an easy way to gain useful information from clueless users on a target network. However, be forewarned, security personnel can use multiple tools and techniques to discover rogue APs.
A pen test member is running the Airsnarf tool from a Linux laptop. What is she attempting?
A. MAC flooding against an AP on the network
B. Denial-of-service attacks against APs on the network
C. Cracking network encryption codes from the WEP AP
D. Stealing usernames and passwords from an AP
D. Identifying tools and what they do is a big part of the exam—which is easy enough because it’s pure memorization, and this is a prime example. Per the website (http://airsnarf.shmoo.com/), “Airsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public wireless hotspots.
What frequency does Bluetooth operate in?
A. 2.4–2.48 GHz
B. 2.5 GHz
C. 2.5–5 GHz
D. 5 GHz
A. Yes, you may actually get a question this “down in the weeds” regarding Bluetooth. As an additional study note, you will commonly see a reference to Bluetooth working at 2.45 GHz
What is the integrity check mechanism for WPA2?
A. CBC-MAC
B. CCMP
C. RC4
D. TKIP
A. CBC-MAC
Jack receives a text message on his phone advising him of a major attack at his bank. The message includes a link to check his accounts. After clicking the link, an attacker takes control of his accounts in the background. Which of the following attacks is Jack facing?
A. Phishing
B. Smishing
C. Vishing
D. App sandboxing
B Smishing is SMS Phishing
Which of the following allows an Android user to attain privileged control of the device?
A. DroidSheep
B. SuperOneClick
C. Faceniff
D. ZitMo
B. Rooting of an Android device is the same idea as jailbreaking an iOS one: allowing the user total control over the device to add applications, modify system files and actions, and (in some cases and usually risking security to do so) improve performance.
Which of the following is a true statement regarding wireless security?
A. WPA2 is a better encryption choice than WEP.
B. WEP is a better encryption choice than WPA2.
C. Cloaking the SSID and implementing MAC filtering eliminate the need for encryption.
D. Increasing the length of the SSID to its maximum increases security for the system.
A. WPA2 is, by far, a better security choice for your system. It makes use of TKIP, to change out the keys every 10,000 packets instead of using one for the entire session (as in WEP). Additionally, WPA2 uses AES for encryption and a 128-bit encryption key, as opposed to RC4 and 24-bit IVs in WEP.
A pen test colleague is attempting to use a wireless connection inside the target’s building. On his Linux laptop he types the following commands:
Images
What is the most likely reason for this action?
A. Port security is enabled on the access point.
B. The SSID is cloaked from the access point.
C. MAC filtering is enabled on the access point.
D. Weak signaling is frustrating connectivity to the access point.
C. The sequence of the preceding commands has the attacker bringing the wireless interface down, changing its hardware address, and then bringing it back up. The most likely reason for this is MAC filtering is enabled on the AP, which is restricting access to only those machines the administrator wants connecting to the wireless network.
An individual attempts to make a call using his cell phone; however, it seems unresponsive. After a few minutes of effort, he turns it off and turns it on again. During his next phone call, the phone disconnects and becomes unresponsive again. Which Bluetooth attack is underway?
A. Bluesmacking
B. Bluejacking
C. Bluesniffing
D. Bluesnarfing
A. From the description, it appears the phone is either defective or—since it’s spelled out so nicely in the question for you—there is a denial-of-service attack against the phone. Bluesmacking is a denial-of-service attack on a Bluetooth device.
Which of the following is a pairing mode in Bluetooth that rejects every pairing request?
A. Non-pairing
B. Non-discoverable
C. Promiscuous
D. Bluejack
A. When you get a simple question on the exam, celebrate. Bluetooth has two pairing modes and three discovery modes.
Which of the following would you recommend as a means to deny network access by unauthorized wireless devices to network assets?
A. Wireless access control list
B. Wireless jammer
C. Wireless analyzer
D. Wireless access point
A. Of the choices provided, the access list is the only one that makes sense. It’s exactly what an access list is designed for
An attacker successfully configured and set up a rogue wireless AP inside his target. As individuals connected to various areas, he performed a MITM attack and injected a malicious applet in some of the HTTP connections. This rerouted user requests for certain pages to pages controlled by the attacker. Which of the following tools was most likely used by the attacker to inject the HTML code?
A. Aircrack-ng
B. KISMET
C. Ettercap
D. Honeypot
C Ettercap
Which of the following is the best choice in searching for and locating rogue access points?
A. WIPS
B. Dipole antenna
C. WACL
D. HIDS
A. Of the choices provided, the wireless intrusion prevention system is the best choice. A WIPS is a network device that, among other things, monitors wireless traffic for the presence of unauthorized access points and then takes countermeasures against them.
