Chapter 9: Wireless Network Hacking

All-in-One Exam Guide

1. An access point is discovered using WEP. The ciphertext sent by the AP

is encrypted with the same key and cipher used by its stations. What

authentication method is being used?

A. Shared key

B. Asynchronous

C. Open

D. None

A. WEP uses shared key encryption, which is part of the reason it is so susceptible to cracking.

2. You are discussing wireless security with your client. He tells you he feels safe

with his network because he has turned off SSID broadcasting. Which of the

following is a true statement regarding his attempt at security?

A. Unauthorized users will not be able to associate because they must know

the SSID in order to connect.

B. Unauthorized users will not be able to connect because DHCP is tied to

SSID broadcast.

C. Unauthorized users will still be able to connect because non-broadcast

SSID puts the AP in ad hoc mode.

D. Unauthorized users will still be able to connect because the SSID is still

sent in all packets, and a sniffer can easily discern the string.

D. Turning off the broadcast of an SSID is a good step, but SSIDs do nothing in regard to security. The SSID is included in every packet, regardless of whether it’s broadcast from the AP.

3. You are discussing wireless security with your client. He tells you he feels

safe with his network as he has implemented MAC filtering on all access

points, allowing only MAC addresses from clients he personally configures

in each list. You explain this step will not prevent a determined attacker from

connecting to his network. Which of the following explains why the APs are

still vulnerable?

A. WEP keys are easier to crack when MAC filtering is in place.

B. MAC addresses are dynamic and can be sent via DHCP.

C. An attacker could sniff an existing MAC address and spoof it.

D. An attacker could send a MAC flood, effectively turning the AP into a hub

C. MAC filtering is easily hacked by sniffing the network for a valid MAC, then

spoofing it, using any number of options available.

4. A new member of the pen test team has discovered a WAP that is using WEP

for encryption. He wants a fast tool that can crack the encryption. Which of

the following is his best choice?

A. AirSnort

B. Aircrack, using Korek implementation

C. NetStumbler

D. Kismet

B. Aircrack, using the Korek implementation, is a very fast tool for cracking

WEP, assuming you’ve collected at least 50,000 packets.

5. You are advising a client on wireless security. The NetSurveyor tool can be

valuable in locating which potential threat to the network’s security?

A. Identifying clients who are MAC spoofing

B. Identifying clients who haven’t yet associated

C. Identifying access points using SSIDs with less than eight characters

D. Identifying rogue access points

D. NetSurveyor, and a lot of other tools, can display all sorts of information about the network. Of the choices listed, a rogue access point is the only true security threat to the wireless network.

6. A pen test team member is attempting to crack WEP. He needs to generate

packets for use in Aircrack later. Which of the following is the best choice?

A. Use aireplay to send fake authentication packets to the AP.

B. Use Kismet to sniff traffic, which forces more packet transmittal.

C. Use NetStumbler to discover more packets.

D. There is no means to generate additional wireless packets—he must

simply wait long enough to capture the packets he needs.

A. Aireplay can send fake authentication packets into the network, causing

storms of packets for use in WEP cracking. It can also be used to generate ARP

messages for the same purpose.

7. You set up an access point near your target’s wireless network. It is configured

with an exact copy of the network’s SSID. After some time, clients associate

and authenticate to the AP you’ve set up, allowing you to steal information.

What kind of attack is this?

A. Social engineering

B. WEP attack

C. MAC spoofing

D. Rogue access point

D. Setting up a rogue access point is one of the easiest methods to attack a

wireless network. If the network administrator is careless, it can pay huge

dividends.

8. Your client is confident in her wireless network security. In addition to turning

off SSID broadcast and encrypting with WEP, she has also opted for the use

of directional antennas instead of omnidirectional. These are set up along the

east side of the building, pointing west, to provide coverage. In this case, does

the placement provide adequate security for the network?

A. Yes, directional antennas do a better job than omnidirectional.

B. Yes, directional antennas force mutual authentication for clients.

C. No, attackers can simply place themselves on the west side of the building,

and the signals may travel for miles.

D. No, the placement of antennas in a wireless network is irrelevant

C. Wireless signals can travel for miles—especially when the signal strength

and power is focused in one direction, instead of being beaconed out 360

degrees.

9. Which of the following is a true statement?

A. Configuring a strong SSID is a vital step in securing your network.

B. An SSID should always be more than eight characters in length.

C. An SSID should never be a dictionary word or anything easily guessed.

D. SSIDs are important for identifying networks, but do little to nothing for

security.

D. An SSID is used for nothing more than identifying the network. It is not designed as a security measure.

10. Which wireless encryption technology makes use of temporal keys?

A. WAP

B. WPA

C. WEP

D. EAP

B. WPA uses temporal keys, making it a much stronger encryption choice than WEP.

11. You are walking through your target’s campus and notice a symbol on the

bottom corner of a building. The symbol shows two backwards parentheses

with the word tsunami across the top. What does this mean?

A. Nothing. The symbol is most likely graffiti.

B. The war chalking symbol indicates the direction of the Yagi antenna inside

the building.

C. The war chalking symbol indicates a wireless flood area.

D. The war chalking symbol indicates a wireless hotspot with a default

password of tsunami.

D. Any time there is a word written above or beside a war chalk symbol (two backward parentheses), it indicates either the SSID or, more commonly, the administrative password to the AP itself.