Pentest+ Practice Exam Chapter Wireless and RF Attacks (Jonathan Ammerman) Flashcards
Which method of attacking Wi-Fi networks occurs when an attacker creates a wireless access point with an ESSID identical to one to which an unwitting user intends to connect? As they negotiate a connection, users pass authentication information to this malicious access point, enabling attackers to recover victim device user traffic or access credentials. This attack frequently abuses the fact that wireless networks are typically presented in order of signal strength and can therefore benefit from high-gain wireless antennae or close physical proximity to a connecting client.
A. Repeating attack
B. RFID cloning
C. Evil twin
D. SSL stripping
C. Evil twin
Explanation:
The attack described is an evil twin attack. This attack works from the premise that Wi-Fi-enabled devices only look to see that the SSID of a network matches what they have connected to previously before requesting a session. If the malicious access point has a proxy established for requested network traffic, an attacker can then leverage numerous man-in-the-middle attacks against the victim for further exploitation.
Consider the command shown. Of the options listed, what is the most likely intent of an attacker running this command?
A. Capturing traffic from a wireless access point in a PCAP file
B. Listening for beacon frames to send an association request with a target wireless access point
C. Cracking a PSK used to connect to a wireless access point
D. Brute-forcing a WPS PIN in order to obtain the wireless access password
A. Capturing traffic from a wireless access point in a PCAP file Explanation: The airodump-ng command shown is running a packet capture operation against a specific wireless AP. This packet capture information can be used for further attacks later, such as cracking a WEP PSK.
Which technique is used in attacking wireless access points or the devices connecting to them, forcing client devices to disconnect from a network momentarily?
A. Deauthentication attack
B. Downgrade attack
C. Fragmentation attack
D.ChopChop
A. Deauthentication attack Explanation: The attack technique described is a deauthentication attack. By disconnecting a client (and waiting for them to reestablish a connection), an attacker can sniff wireless traffic for the four-way handshake when the client renegotiates a new connection to the access point, which can then be used to determine the PSK for the access point in question. This technique can also be used as a crude DoS attack; if deauthentication frames are spammed to a client, they are forced to constantly reestablish a connection with a four-way handshake, which would result in dropped packets and broken connections from the perspective of the victim. B, C, and D are incorrect. B is incorrect because a downgrade attack occurs when a man-in-the-middle intercepts TLS traffic from a target system to a remote server and drops the request. Since the target system does not receive a response from the target server, application logic dictates that the target server likely is not capable of handling TLS 1.2 or 1.1 traffic, and attempts to renegotiate a connection using a less secure protocol. With repeated applications of the downgrade attack, a target system could be coerced into connecting with SSLv3 rather than TLS. This is significant because SSLv3 is a weaker communications protocol overall, relying on older ciphers for its encryption. C is incorrect because a fragmentation attack is a means of targeting WEP networks that abuses a weakness in the pseudorandom generation algorithm (PRGA) by injecting junk data into a wireless access point, which causes a target network to eventually reuse cryptographic data. By tricking the AP into reusing key data, it becomes possible for an attacker to obtain a portion of the PRGA data; it cannot be used to recover a WEP key directly. D is incorrect because the ChopChop attack is one that targets WEP networks and reveals the plaintext data of packets sent in a WEP network; like a fragmentation attack, a ChopChop attack cannot be used to recover a WEP key directly.
Which tool is used specifically to attack WPS-enabled networks, exploiting a weakness in WPS that enables attackers to brute-force the PIN used to obtain a WPA password?
A. WiFite
B. airodump-ng
C. kismet
D. reaver
D. reaver Explanation: The toll describe here is reaver. Due to a weakness in the implementation of WPS, only 11,000 guesses are necessary to identify the PIN used by a given WPS-enabled network. This allows an attacker to recover a WPA password in a number of hours
Consider the command shown. Of the options listed, what is the most likely intent of an attacker running this command?
‘airbase -ng -a 12:34:56:78:90:AB -essid Home -c 6 wlan0mon’
A. Impersonating the SSID of a network in order to establish an evil twin network
B. Injecting ARP packets in order to generate initialization vectors
C. Capturing initialization vectors from a WEP access point in order to later crack the wireless access key
D. Cracking a PSK used to connect to a wireless access point
A. Impersonating the SSID of a network in order to establish an evil twin network Explanation: The tool airbase-ng is used for many purposes, but broadly it allows an attacker to target wireless clients rather than attacking an access point itself. In the example provided, the attacker is creating a wireless network with a specific wireless network name and MAC ID; this could allow the attacker to act as a man-in-the-middle and capture victim traffic for further exploitation
Which term is used to describe attacks that leverage a device’s Bluetooth connection to steal information?
A. Wardriving
B. Bluesnarfing
C. BlueBorne
D. NFC cloning
B. Bluesnarfing Explanation: Bluesnarfing is the theft of data from devices via Bluetooth connections. In the past, many of the attacks in this family exploited firmware flaws that allow silent, unprompted pairing of Bluetooth devices. Typical data types targeted with this attack include contact information, text messages and email data
Which attack enables a penetration tester to duplicate access cards and is of particular value during physical penetration tests?
A. Bluejacking
B. Tailgating
C. Fragmentation attack
D. RFID cloning
D. RFID cloning Explanation: RFID cloning is a technique used to copy RFID access cards, which are a typical means of authorization check in corporate facilities and offices; it is a particularly valuable technique when conducting a physical pentest
Which attack is a DoS method specifically used to target wireless communication protocols?
A. Karma attack
B.Jamming
C.Packet Injection
D.Evil Twin
B.Jamming Explanation: Jamming is the term used to describe a DoS attack against wireless access points or even cellular signals. It should be noted that signal jamming is illegal in many countries and jurisdictions. Cell phone networks, wireless APs, satellite, and other radio communication frequencies make up what is broadly referred to as the EM (electromagnetic) spectrum. The EM spectrum is considered and treated by many nations as a national resource, the same as their airspace or water, and as such countries take great care to ensure it is protected.
Consider the command shown. Of the options listed, what is the most likely intent of an attacker running this command?
A. Running a denial of service (DoS) attack by spamming deauthentication frames to a client connected to a wireless access point
B. Recovering a WPA password from the WPS PIN
C. Listening to traffic intended for a target access point in order to collect four-way handshake information
D. Establishing a proxy from an evil twin to strip SSL from victim HTTPS requests
A. Running a denial of service (DoS) attack by spamming deauthentication frames to a client connected to a wireless access point Explanation: The main clue that this command is intended to deny service is the use of aireplay-ng (a tool in the aircrack-ng suite that injects packets into a wireless network) with the -0 flag. This flag is used to indicate Location: 5891 that the tool should send deauthentication frames; the number following it is a count—except in the case of 0, which indicates that the deauthentication frames should be sent endlessly. Given these facts and the choices present, the command in question is wireless jamming DoS attack targeting MAC address FE:DC:BA:09:87:65. Another means of accomplishing a wireless DoS attack would be the use of the wifi/wifi_jammer module in the Websploit framework.
Which encryption protocol was part of the original standard for 802.11 wireless communications and is considered a broken encryption algorithm? A. WPA
B. WPA-Enterprise
C. WEP
D. ARP
C. WEP Explanation: Wired Equivalent Protocol (WEP) was part of the original 802.11 wireless communication standard, but is now considered a broken encryption algorithm. The weakness stems from a flaw in the implementation of the RC4 stream cipher used in WEP that causes the system to reuse the RC4 key in question relatively regularly, which makes it possible to crack the cryptography entirely.
Which security standard was designed to simplify the connection process for consumer devices and home wireless networks but is vulnerable to remote attack if the PIN feature is enabled (default setting on many home routers) or local attacks if the wireless access point is not kept physically secured?
A. WPA2
B. WPS
C. TKIP
D. PSK
B. WPS Explanation: Wi-Fi Protected Setup (WPS) was an enhancement for WPA designed to simplify the deployment of home wireless networks. A vulnerability in its implementation makes it possible to brute-force the PIN used for simplified connecting in a relatively short amount of time, making it trivial to recover the WPA password. In addition, if a malicious actor is able to get close enough to the access point to press the WPS button, anyone can connect to the access point without being required to enter a password.
Consider the command shown. Of the options listed, what is the most likely intent of an attacker running this command?
A. Listening to traffic intended for a target access point in order to collect four-way handshake information
B. Running a denial of service attack by spamming deauthentication frames to clients connected to a wireless access point
C. Locating WPS-enabled networks
D. Brute-forcing a WPS PIN in order to obtain the wireless access password
D. Brute-forcing a WPS PIN in order to obtain the wireless access password Explanation: The reaver command is an attack tool designed specifically to target WPS-enabled networks. Given that it requires knowledge of a target AP ESSID before it can do anything, the only possible answer is brute-forcing a WPS PIN in order to obtain the wireless access password.
Consider the command shown. Of the options listed, what is the most likely intent of an attacker running this command? Location: 5678
A. Locating WPS-enabled networks
B. Collecting the access password for a WPS-enabled router after cracking the WPS PIN
C. Listening for network probes in order to identify an ESSID to which a victim will connect
D. Cracking a WEP access password offline based on a packet capture file
D. Cracking a WEP access password offline based on a packet capture file Explanation: The use of aircrack-ng and reading from multiple PCAP files indicates that this is most likely an effort to crack a wireless access point’s PSK. A, B, and C are incorrect. A is incorrect because aircrack-ng is used to crack WEP and WPA PSKs; a tool like wash would be better suited for detecting WPS-enabled access points. B is incorrect because collecting the wireless access password is in the sphere of reaver rather than that of aircrack-ng. C is incorrect because collecting wireless traffic data is a function of the airodump-ng tool in the aircrack-ng suite, rather than a function of aircrack-ng itself.
