Module 7 Questions Flashcards
A WPA2 wireless network is discovered during a pen test. Which of the following methods is the best way to crack the network key?
A. Capture the WPA2 authentication traffic and crack the key.
B. Capture a large amount of initialization vectors and crack the key inside.
C. Use a sniffer to capture the SSID.
D. WPA2 cannot be cracked.
A. WPA2 is a strong encryption method, but almost everything can be hacked given time. Capturing the password pairwise master key (PMK) during the handshake is the only way to do it, and even then it’s virtually impossible if it’s a complicated password.
You are discussing wireless security with your client. He tells you he feels safe with his network because he has turned off SSID broadcasting. Which of the following is a true statement regarding his attempt at security?
A. Unauthorized users will not be able to associate because they must know the SSID in order to connect.
B. Unauthorized users will not be able to connect because DHCP is tied to SSID broadcast.
C. Unauthorized users will still be able to connect because nonbroadcast SSID puts the AP in ad hoc mode.
D. Unauthorized users will still be able to connect because the SSID is still sent in all packets, and a sniffer can easily discern the string
D. Turning off the broadcast of an SSID is a good step, but SSIDs do nothing in regard to security. The SSID is included in every packet, regardless of whether it’s broadcast from the AP.
You are discussing wireless security with your client. He tells you he feels safe with his network as he has implemented MAC filtering on all access points, allowing only MAC addresses from clients he personally configures in each list. You explain this step will not prevent a determined attacker from connecting to his network. Which of the following explains why the APs are still vulnerable?
A. WEP keys are easier to crack when MAC filtering is in place.
B. MAC addresses are dynamic and can be sent via DHCP.
C. An attacker could sniff an existing MAC address and spoof it.
D. An attacker could send a MAC flood, effectively turning the AP into a hub.
C. MAC filtering is easily hacked by sniffing the network for a valid MAC and then spoofing it, using any number of options available.
What information is required in order to attempt to crack a WEP AP? (Choose two.)
A. Network SSID
B. MAC address of the AP
C. IP address of the AP
D. Starting sequence number in the first initialization vector
A, B. The MAC address of the AP and the SSID are required for attempting a WEP crack.
Which of the following protects against man-in-the-middle attacks in WPA? A. MIC B. CCMP C. EAP D. AES
A. MIC provides integrity checking in WPA, verifying frames are authentic and have not been tampered with. Part of how it accomplishes this is a sequence number—if any arrive out of sequence, the whole session is dropped.
Which of the following is the best choice for performing a bluebugging attack? A. PhoneSnoop B. BBProxy C. btCrawler D. Blooover
D. Blooover is designed for bluebugging. BBProxy and PhoneSnoop are both Blackberry tools, and btCrawler is a discovery option.
Operations promotes the use of mobile devices in the enterprise. Security disagrees, noting multiple risks involved in adding mobile devices to the network. Which of the following provides some protections against the risks security is concerned about?
A. Implement WPA.
B. Add MAC filtering to all WAPs.
C. Implement MDM.
D. Ensure all WAPs are from a single vendor.
C. Mobile Device Management won’t mitigate all the risks associated with unending use of mobile devices on your network—but at least it’s something.
Which of the following provides for integrity in WPA2? A. AES B. CCMP C. TKIP D. RADIUS
B. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (say that three times fast) uses Message Integrity Codes (MICs) for integrity purposes.
Which of the following is a true statement?
A. Configuring a strong SSID is a vital step in securing your network.
B. An SSID should always be more than eight characters in length.
C. An SSID should never be a dictionary word or anything easily guessed.
D. SSIDs are important for identifying networks but do little to nothing for security.
D. An SSID is used for nothing more than identifying the network. It is not designed as a security measure.
Which wireless encryption technology makes use of temporal keys? A. WAP B. WPA C. WEP D. EAP
B. WPA uses temporal keys, making it a much stronger encryption choice than WEP.
Which wireless technology uses RC4 for encryption? A. WAP B. WPA C. WEP D. WPA2 E. All of the above
C. WEP uses RC4, which is part of the reason it’s so easily hacked and not considered a secure option.
You wish to gain administrative privileges over your Android device. Which of the following tools is the best option for rooting the device? A. Pangu B. SuperOneClick C. Cydia D. evasi0n7
B. SuperOneClick is designed for rooting Android. The others are jailbreaking iOS options.
Which of the following jailbreaking techniques will leave the phone in a jailbroken state even after a reboot? A. Tethered B. Untethered C. Semi-tethered D. Rooted
B. If untethered jailbreaking has been performed, the device is in a jailbroken state forever, with or without connection to another device.
A company hires you as part of their security team. They are implementing new policies and procedures regarding mobile devices in the network. Which of the following would not be a recommended practice?
A. Create a BYOD policy and ensure all employees are educated and aware of it.
B. Whitelist applications and ensure all employees are educated and aware of them.
C. Allow jailbroken and rooted devices on the network, as long as the employee has signed the policy.
D. Implement MDM.
C. Bring Your Own Device (BYOD) and Mobile Device Management (MDM) are becoming more and more of a headache for security administrators. BYOD is the idea that employees can bring their own smartphones, tablets, and mobile devices to the workplace and use them as part of the enterprise network. Mobile Device Management (often implemented with the use of a third-party product containing management features for mobile device vendors) is an effort to administrate and secure mobile device use within the organization.
Which of the following is a true statement?
A. Kismet can be installed on Windows, but not on Linux.
B. NetStumbler can be installed on Linux, but not on Windows.
C. Kismet cannot monitor traffic on 802.11n networks.
D. NetStumbler cannot monitor traffic on 802.11n networks.
D. Not only is this question overly confusing and very tool specific, it’s pretty much exactly the type of question you’ll see on your exam. Kismet and NetStumbler are both wireless monitoring tools with detection and sniffing capabilities. NetStumbler is Windows specific, whereas Kismet can be installed on virtually anything.
Which of the following tools would be used in a blackjacking attack?
A. Aircrack
B. BBCrack
C. BBProxy
D. Paros Proxy
C. This is another tool-specific question, but one that should be relatively easy. Blackjacking and BBProxy were exposed at DefCon several years ago, so this isn’t anything new in terms of an attack.
Which of the following use a 48-bit initialization vector? (Choose all that apply.)
A. WEP
B. WPA
C. WPA2
D. WEP2
B, C. One of the improvements from WEP to WPA involved extending the initialization vector (IV) to 48 bits from 24 bits. An initialization vector (IV) provides for confidentiality and integrity.
Which of the following are true statements? (Choose all that apply.)
A. WEP uses shared key encryption with TKIP.
B. WEP uses shared key encryption with RC4.
C. WPA2 uses shared key encryption with RC4.
D. WPA2 uses TKIP and AES encryption.
B, D. WEP uses a 24-bit initialization vector and RC4 to “encrypt” data transmissions, although saying that makes me shake in disgust because it’s really a misnomer.
Which of the following tools is a vulnerability scanner for Android devices?
A. X-ray
B. evasi0n7
C. Pangu
D. DroidSheep Guard
A. X-ray is an Android vulnerability scanner explicitly called out by EC-Council. It searches out unpatched vulnerabilities and automatically updates for new vulnerability signatures as they are discovered.
Which type of jailbreaking allows user-level access but does not allow iBoot-level access?
A. iBoot
B. Bootrom
C. Userland
D. iRoot
C
While on vacation, Joe receives a phone call from his identity alert service notifying him that two of his accounts have been accessed in the past hour. Earlier in the day, he did connect a laptop to a wireless hotspot at McDonald’s and accessed the two accounts in question. Which of the following is the most likely attack used against Joe?
A. Unauthorized association
B. Honeyspot access point
C. Rogue access point
D. Jamming signal
B. Sometimes EC-Council creates and uses redundant terminology, so don’t blame your happy little author or publication editors for this insanely annoying jewel. In this case, Joe most likely connected to what he thought was the legitimate McDonald’s free Wi-Fi while he was getting his morning coffee and checked the accounts in question.
An attacker is attempting to crack a WEP code to gain access to the network. After enabling monitor mode on wlan0 and creating a monitoring interface (mon 0), she types this command:
aireplay –ng -0 0 –a 0A:00:2B:40:70:80 –c mon0
What is she trying to accomplish?
A. To gain access to the WEP access code by examining the response to deauthentication packets, which contain the WEP code
B. To use deauthentication packets to generate lots of network traffic
C. To determine the BSSID of the access point
D. To discover the cloaked SSID of the network
B. Within 802.11 standards, there are several different management-type frames in use: everything from a beacon and association request to something called (and I’m not making this up) a probe request.
Which wireless standard is designed to work at 54 Mbps on a frequency range of 2.4 GHz?
A. 802.11a
B. 802.11b
C. 802.11g
D. 802.11n
C. The 802.11 series of standards identifies all sorts of wireless goodies, such as the order imposed on how clients communicate, rules for authentication, data transfer, size of packets, how the messages are encoded into the signal, and so on. 802.11g combines the advantages of both the “a” and “b” standards without as many of the drawbacks.
The team has discovered an access point configured with WEP encryption. What is needed to perform a fake authentication to the AP in an effort to crack WEP? (Choose all that apply.)
A. A replay of a captured authentication packet
B. The IP address of the AP
C. The MAC address of the AP
D. The SSID
C, D. Cracking WEP generally comes down to capturing a whole bunch of packets and running a little math magic to crack the key. If you want to generate traffic by sending fake authentication packets to the AP, you need the AP’s MAC address and the SSID to make the attempt.