This chapter includes questions from the following topics:
• Describe wireless network architecture and terminology
• Identify wireless network types and forms of authentication
• Describe wireless encryption algorithms
• Identify wireless hacking methods and tools
• Describe mobile platform attacks
• Identify Mobile Device Management
I grew up in a time when television had only three channels, the music industry was all up in arms because of the new technology allowing anyone to tape their own music (cassette tapes), and if you needed to talk to someone about something, you had to either meet them face to face or call their one and only home phone (and hope they were there). Oh, sure, the ultra-rich had phones built into their limos (not really much more than glorified CB radio devices actually), but the idea of a cell phone didn’t really hit the public consciousness until sometime in the early 1980s. In fact, the first real foray into the technology came in 1973, when a Motorola researcher created a mobile phone. The handset came in at a stealthy 8 by 5 inches, weighing approximately 2½ pounds, and offered a whopping 30 minutes of talk time.
After a decade or so of further research and attempts at bringing the technology to market, the first analog cellular network (Advanced Mobile Phone Service [AMPS]) hit the United States, and a company called DynaTAC released a device that has been ridiculed in technology circles for decades now—the bag phone. Despite the weight and bulkiness of the system and that it provided only a half hour of talk time and took nearly 10 hours to charge, demand for the thing was incredible, and people signed up on waiting lists by the thousands.
I remember quite clearly how jealous I felt seeing people driving around with those ultra-cool giant-battery phones that they could use anywhere. I even looked into buying one and can remember the first time I slung that big old bag over my head to rest the strap on my shoulder so I could heft the cord-connected handset and dial home. Looking back, it seems really silly, but that strong desire by the consumer population fueled an explosion in mobile device technology that has changed the world.
The wireless revolution touched everything in life—not just the humble phone. We looked at making everything wireless and just knew we could do it. (Star Trek had been showing wireless communication for decades, so why not?) Computer networks were an obvious branch to follow, and seemingly everything else followed. Our wireless technologies are now as much part of life as the light switch on the wall—we wouldn’t know what to do without them, and we all just expect it all to work. Hence the problem.
I’ve said repeatedly that almost every technological implementation designed to make our lives easier and better can be, and usually has already been, corrupted by the bad guys, and wireless tech is no exception. Wireless networks are everywhere, and they’re broadcasting information across the air that anyone can pick up. Cellular devices are called smartphones, even though the users of the devices aren’t, and mobile malware is as common and ubiquitous as teenagers texting during family dinner. And the opportunity for co-opting wireless signals that control everything else, such as your car’s built-in computer functions, your refrigerator, and maybe the turbine control at the local power plant? Let’s just say that while all this wireless technology is really cool and offers us a whole lot of benefits, we better all pay attention to the security side of the whole thing. Who knows what kind of societal uproar could take place if cellular devices and computer networking were taken down and nobody could play Angry Birds?
STUDY TIPS Depending on the pool of test questions the system pulls for your exam, you’ll either grow to love the test you’re taking or hate it with a fiery passion. Questions on wireless and mobile platforms are usually fairly easy and shouldn’t bother you too much. Except for the ones that aren’t—those will drive you insane.
Whereas EC-Council once seemed to focus on WEP, SSIDs, and weird questions on encoding methods, channel interference, and things of that nature, now they’re much more focused on the mobile world. Yes, you will still see the same old stuff on wireless networking you’re supposed to know—tools used in hacking wireless, encryption standards, and so on—but be prepped to see much more of a mobile-device-centric layout now. Make sure you know Bluetooth well, and check out any and all mobile device tools you can find—there will likely be a couple off-the-wall mobile tool questions along the way, and I can’t possibly put them all in here. Mobile Device Management (MDM), BYOD, rooting, and jailbreaking are all topics you’ll need to read up on and know well.
1. A company hires you as part of their security team. They are implementing new policies and procedures regarding mobile devices in the network. Which of the following would not be a recommended practice?
A. Create a BYOD policy and ensure all employees are educated and aware of it.
B. Whitelist applications and ensure all employees are educated and aware of them.
C. Allow jailbroken and rooted devices on the network, as long as the employee has signed the policy.
D. Implement MDM.
2. Which of the following is a true statement?
A. Kismet can be installed on Windows, but not on Linux.
B. NetStumbler can be installed on Linux, but not on Windows.
C. Kismet cannot monitor traffic on 802.11n networks.
D. NetStumbler cannot monitor traffic on 802.11n networks.
3. Which of the following tools would be used in a blackjacking attack?
A. Aircrack
B. BBCrack
C. BBProxy
D. Paros Proxy
4. Which of the following use a 48-bit initialization vector? (Choose all that apply.)
A. WEP
B. WPA
C. WPA2
D. WEP2
5. Which of the following are true statements? (Choose all that apply.)
A. WEP uses shared key encryption with TKIP.
B. WEP uses shared key encryption with RC4.
C. WPA2 uses shared key encryption with RC4.
D. WPA2 uses TKIP and AES encryption.
6. Which of the following tools is a vulnerability scanner for Android devices?
A. X-ray
B. evasi0n7
C. Pangu
D. DroidSheep Guard
7. Which type of jailbreaking allows user-level access but does not allow iBoot-level access?
A. iBoot
B. Bootrom
C. userland
D. iRoot
8. While on vacation, Joe receives a phone call from his identity alert service notifying him that two of his accounts have been accessed in the past hour. Earlier in the day, he did connect a laptop to a wireless hotspot at McDonald’s and accessed the two accounts in question. Which of the following is the most likely attack used against Joe?
A. Unauthorized association
B. Honeyspot access point
C. Rogue access point
D. Jamming signal
9. An attacker is attempting to crack a WEP code to gain access to the network. After enabling monitor mode on wlan0 and creating a monitoring interface (mon 0), she types this command:
aireplay –ng -0 0 –a 0A:00:2B:40:70:80 –c mon0
What is she trying to accomplish?
A. To gain access to the WEP access code by examining the response to deauthentication packets, which contain the WEP code
B. To use deauthentication packets to generate lots of network traffic
C. To determine the BSSID of the access point
D. To discover the cloaked SSID of the network
10. Which wireless standard works at 54 Mbps on a frequency range of 2.4 GHz?
A. 802.11a
B. 802.11b
C. 802.11g
D. 802.11n
11. The team has discovered an access point configured with WEP encryption. What is needed to perform a fake authentication to the AP in an effort to crack WEP? (Choose all that apply.)
A. A captured authentication packet
B. The IP address of the AP
C. The MAC address of the AP
D. The SSID
12. Which of the tools listed here is a passive discovery tool?
A. Aircrack
B. Kismet
C. NetStumbler
D. Netsniff
13. You have discovered an access point using WEP for encryption purposes. Which of the following is the best choice for uncovering the network key?
A. NetStumbler
B. Aircrack
C. John the Ripper
D. Kismet
14. Which of the following statements are true regarding TKIP? (Choose all that apply.)
A. Temporal Key Integrity Protocol forces a key change every 10,000 packets.
B. Temporal Key Integrity Protocol ensures keys do not change during a session.
C. Temporal Key Integrity Protocol is an integral part of WEP.
D. Temporal Key Integrity Protocol is an integral part of WPA.
15. Regarding SSIDs, which of the following are true statements? (Choose all that apply.)
A. SSIDs are always 32 characters in length.
B. SSIDs can be up to 32 characters in length.
C. Turning off broadcasting prevents discovery of the SSID.
D. SSIDs are part of every packet header from the AP.
E. SSIDs provide important security for the network.
F. Multiple SSIDs are needed to move between APs within an ESS.
16. You are discussing WEP cracking with a junior pen test team member. Which of the following are true statements regarding the initialization vectors? (Choose all that apply.)
A. IVs are 32 bits in length.
B. IVs are 24 bits in length.
C. IVs get reused frequently.
D. IVs are sent in clear text.
E. IVs are encrypted during transmission.
F. IVs are used once per encryption session.
17. A pen test member has configured a wireless access point with the same SSID as the target organization’s SSID and has set it up inside a closet in the building. After some time, clients begin connecting to his access point. Which of the following statements are true regarding this attack? (Choose all that apply.)
A. The rogue access point may be discovered by security personnel using NetStumbler.
B. The rogue access point may be discovered by security personnel using NetSurveyor.
C. The rogue access point may be discovered by security personnel using Kismet.
D. The rogue access point may be discovered by security personnel using Aircrack.
E. The rogue access point may be discovered by security personnel using ToneLoc.
18. A pen test member is running the Airsnarf tool from a Linux laptop. What is she attempting?
A. MAC flooding against an AP on the network
B. Denial-of-service attacks against APs on the network
C. Cracking network encryption codes from the WEP AP
D. Stealing usernames and passwords from an AP
19. What frequency does Bluetooth operate in?
A. 2.4–2.48 GHz
B. 2.5 GHz
C. 2.5–5 GHz
D. 5 GHz
20. What is the integrity check mechanism for WPA2?
A. CBC-MAC
B. CCMP
C. RC4
D. TKIP
21. Jack receives a text message on his phone advising him of a major attack at his bank. The message includes a link to check his accounts. After clicking the link, an attacker takes control of his accounts in the background. Which of the following attacks is Jack facing?
A. Phishing
B. Smishing
C. Vishing
D. App sandboxing
22. Which of the following allows an Android user to attain privileged control of the device?
A. DroidSheep
B. SuperOneClick
C. Faceniff
D. ZitMo
23. Which of the following is a true statement regarding wireless security?
A. WPA2 is a better encryption choice than WEP.
B. WEP is a better encryption choice than WPA2.
C. Cloaking the SSID and implementing MAC filtering eliminate the need for encryption.
D. Increasing the length of the SSID to its maximum increases security for the system.
24. A pen test colleague is attempting to use a wireless connection inside the target’s building. On his Linux laptop he types the following commands:
What is the most likely reason for this action?
A. Port security is enabled on the access point.
B. The SSID is cloaked from the access point.
C. MAC filtering is enabled on the access point.
D. Weak signaling is frustrating connectivity to the access point.
25. An individual attempts to make a call using his cell phone; however, it seems unresponsive. After a few minutes of effort, he turns it off and turns it on again. During his next phone call, the phone disconnects and becomes unresponsive again. Which Bluetooth attack is underway?
A. Bluesmacking
B. Bluejacking
C. Bluesniffing
D. Bluesnarfing
26. Which of the following is a pairing mode in Bluetooth that rejects every pairing request?
A. Non-pairing
B. Non-discoverable
C. Promiscuous
D. Bluejack
1. D
2. C
3. B, C
4. B, D
5. A
6. C
7. B
8. B
9. C
10. C, D
11. B
12. B
13. A, D
14. B, D
15. B, C, D
16. A, B, C
17. D
18. A
19. A
20. B
21. B
22. A
23. C
24. A
25. A
26. A
1. A company hires you as part of their security team. They are implementing new policies and procedures regarding mobile devices in the network. Which of the following would not be a recommended practice?
A. Create a BYOD policy and ensure all employees are educated and aware of it.
B. Whitelist applications and ensure all employees are educated and aware of them.
C. Allow jailbroken and rooted devices on the network, as long as the employee has signed the policy.
D. Implement MDM.
C. Bring Your Own Device (BYOD) and Mobile Device Management (MDM) are becoming more and more of a headache for security administrators. BYOD is the idea that employees can bring their own smartphones, tablets, and mobile devices to the workplace and use them as part of the enterprise network. Mobile Device Management (often implemented with the use of a third-party product containing management features for mobile device vendors) is an effort to administrate and secure mobile device use within the organization.
Obviously having mobile devices roaming in and out of a network can cause all sorts of security issues, and there are lots of common-sense steps that can be taken. Allowing rooted and jailbroken devices—essentially devices that could have any number of installed (knowingly or not) issues on them—is not among the good steps to take.
A, B, and D are incorrect choices because these are all good ideas regarding mobile device use and management. Other good ideas include, but are not limited to, ensuring all devices have a screen lockout code enabled, using encryption (in transit and for data-at-rest concerns), making sure there are clear delineations between business and personal data, implementing antivirus, and making sure the OS and patching are up to date.
2. Which of the following is a true statement?
A. Kismet can be installed on Windows, but not on Linux.
B. NetStumbler can be installed on Linux, but not on Windows.
C. Kismet cannot monitor traffic on 802.11n networks.
D. NetStumbler cannot monitor traffic on 802.11n networks.
D. Not only is this question overly confusing and very tool specific, it’s pretty much exactly the type of question you’ll see on your exam. Kismet and NetStumbler are both wireless monitoring tools with detection and sniffing capabilities. NetStumbler is Windows specific, whereas Kismet can be installed on virtually anything. Both do a great job of monitoring 802.11a, b, and g networks, but NetStumbler can’t handle 802.11n. Kismet can even be used as an IDS for your wireless network!
One last fun-fact to know in relation to this question—Kismet does a better job of pulling management packets. A lot of wireless cards on Windows systems don’t support monitor mode and have a difficult time pulling management and control packets.
A, B, and C are incorrect statements. Kismet can be installed on anything, NetStumbler is Windows specific and not available on Linux, and Kismet can monitor 802.11n networks.
3. Which of the following tools would be used in a blackjacking attack?
A. Aircrack
B. BBCrack
C. BBProxy
D. Paros Proxy
C. This is another tool-specific question, but one that should be relatively easy. Blackjacking and BBProxy were exposed at DefCon several years ago, so this isn’t anything new in terms of an attack. In short, a Blackberry device is, in effect, part of the internal network, and configuring an attack properly on the handset may provide access to resources on the internal network. BBProxy is used in part of this attack, and you can see the whole thing pulled off at this link from the original presentation in 2006: http://www.praetoriang.net/presentations/blackjack.html.
A, B, and D are incorrect because these tools aren’t used in blackjacking attempts. Aircrack is used in wireless network encryption cracking, and Paros is a proxy service, but neither is used in blackjacking. BBCrack doesn’t exist.
4. Which of the following use a 48-bit initialization vector? (Choose all that apply.)
A. WEP
B. WPA
C. WPA2
D. WEP2
B, C. One of the improvements from WEP to WPA involved extending the initialization vector (IV) to 48 bits from 24 bits. An initialization vector (IV) provides for confidentiality and integrity. Wireless encryption algorithms use it to calculate an integrity check value (ICV), appending it to the end of the data payload. The IV is then combined with a key to be input into an algorithm (RC4 for WEP, AES for WPA2). Therefore, because the length of an IV determines the total number of potential random values that can possibly be created for encryption purposes, doubling to 48 bits increased overall security. By itself, this didn’t answer all security problems—it only meant it took a little longer to capture enough IV packets to crack the code—however, combined with other steps it did provide for better security.
A is incorrect because WEP uses a 24-bit IV. In WEP, this meant there were approximately 16 million unique IV values. Although this may seem like a large number, it’s really not—a determined hacker can capture enough IVs in a brute-force attack in a matter of hours to crack the key.
D is incorrect because there is no such thing as WEP2.
5. Which of the following are true statements? (Choose all that apply.)
A. WEP uses shared key encryption with TKIP.
B. WEP uses shared key encryption with RC4.
C. WPA2 uses shared key encryption with RC4.
D. WPA2 uses TKIP and AES encryption.
B, D. WEP uses a 24-bit initialization vector and RC4 to “encrypt” data transmissions, although saying that makes me shake in disgust because it’s really a misnomer. WEP was designed as basic encryption merely to simulate the “security” of being on a wired network—hence, the “equivalent” part in Wired Equivalent Privacy. It was never intended as true encryption protection. WPA was an improvement on two fronts. First, the shared key portion of encryption was greatly enhanced by the use of Temporal Key Integrity Protocol (TKIP). In short, the key used to encrypt data was made temporary in nature and is swapped out every 10,000 packets or so. Additionally, WPA2 uses NIST-approved encryption with AES as the algorithm of choice.
A is incorrect because WEP does not use TKIP. Along with the same key being used to encrypt and decrypt (shared key), it’s not changed and remains throughout the communication process—which is part of the reason it’s so easy to crack.
C is incorrect because WPA2 does not use RC4 as an encryption algorithm.
6. Which of the following tools is a vulnerability scanner for Android devices?
A. X-ray
B. evasi0n7
C. Pangu
D. DroidSheep Guard
A. Mobile tools will pop up all over the place on your exam, so do your best to get as much exposure to as many of them as possible. X-ray is an Android vulnerability scanner explicitly called out by EC-Council. It searches out unpatched vulnerabilities and automatically updates for new vulnerability signatures as they are discovered.
B and C are incorrect because both are jailbreaking applications for iOS devices.
D is incorrect because DroidSheep Guard is a tool that monitors the ARP table on your phone, alerting on suspicious entries and disabling shady Wi-Fi connections.
7. Which type of jailbreaking allows user-level access but does not allow iBoot-level access?
A. iBoot
B. Bootrom
C. Userland
D. iRoot
C. I don’t own an iPhone, iPod, or iAnything, and have no desire to. However, since iOS is one of the most popular mobile device operating systems, I have to have at least some working knowledge of it. And you do too, if you want to be a CEH. Jailbreaking an iPhone is the process of removing the software restrictions imposed by Apple so you can install a modified set of kernel patches, thereby allowing you to run whatever software or updates you want. EC-Council lists three main methods of jailbreaking, two of which (iBoot and Bootrom) allow something called iBoot access. iBoot access basically refers to the ability to affect the firmware itself.
Userland is a term referring to the software running on the iOS device after the kernel has loaded. Therefore, a userland jailbreak, being entirely software based, can be patched by Apple after the effort. Userland jailbreaks include JailbreakMe Star, Saffron, Spirit, Absinthe, evasi0n, and Pangu.
A and B are incorrect because both jailbreaking efforts allow iBoot access. In other words, each method allows for boot chain-of-trust and firmware update.
D is incorrect because this is not a type of jailbreaking.
8. While on vacation, Joe receives a phone call from his identity alert service notifying him that two of his accounts have been accessed in the past hour. Earlier in the day, he did connect a laptop to a wireless hotspot at McDonald’s and accessed the two accounts in question. Which of the following is the most likely attack used against Joe?
A. Unauthorized association
B. Honeyspot access point
C. Rogue access point
D. Jamming signal
B. Sometimes EC-Council creates and uses redundant terminology, so don’t blame your happy little author or publication editors for this insanely annoying jewel. In this case, Joe most likely connected to what he thought was the legitimate McDonald’s free Wi-Fi while he was getting his morning coffee and checked the accounts in question. However, an attacker in (or close to) the restaurant had set up another wireless network using the same SSID as the restaurant’s. This practice is known as the honeyspot attack.
A is incorrect because the unauthorized association attack exploits so-called soft access points—embedded wireless LAN radios in some mobile devices that can be launched inadvertently and used by the attacker for access to the enterprise network.
C is incorrect, but just barely so. The whole idea of a honeyspot attack is predicated on the idea that the attacker has some kind of rogue access point set up to trick people into connecting. However, this is a case of one answer being more correct than the other. Honeyspot attacks are explicitly called out as a separate type of rogue attack by EC-Council, so you’ll need to remember it that way.
D is incorrect because a jamming attack seeks to DoS the entire signal, not necessarily to steal anything from it.
9. An attacker is attempting to crack a WEP code to gain access to the network. After enabling monitor mode on wlan0 and creating a monitoring interface (mon 0), she types this command:
aireplay –ng -0 0 –a 0A:00:2B:40:70:80 –c mon0
What is she trying to accomplish?
A. To gain access to the WEP access code by examining the response to deauthentication packets, which contain the WEP code
B. To use deauthentication packets to generate lots of network traffic
C. To determine the BSSID of the access point
D. To discover the cloaked SSID of the network
B. Within 802.11 standards, there are several different management-type frames in use: everything from a beacon and association request to something called (and I’m not making this up) a probe request. One of these management frames is a deauthentication packet, which basically shuts off a client from the network. The client then has to reconnect—and will do so quickly. The idea behind this kind of activity is to generate lots of traffic to capture in order to discern the WEP access code (from clients trying to re-associate to all the new ARP packets that will come flying around, since many machines will dump their ARP cache after being shut off the network). Remember that the initialization vectors within WEP are relatively short (24 bits) and are reused frequently, so any attempt to crack the code requires, in general, around 15,000 or so packets. You can certainly gather these over time, but generating traffic can accomplish it much faster. One final note on this must be brought up: this type of attack can just as easily result in a denial-of-service attack against hosts and the AP in question, so be careful.
A is incorrect because the response to a deauth packet does not contain the WEP access code in the clear. If it did, the attacker wouldn’t need to bother with all this traffic generation in the first place—one simple packet would be enough to crack all security.
C is incorrect because the basic service set identifier (BSSID) is the MAC address of the AP. It’s usually easy enough to gain from any number of methods (using airodump, for instance) and isn’t a reason for sending multiple deauth packets. There are networks where the BSSID is hidden (referred to as cloaking), but other tools (airmon and airodump) can help with that.
D is incorrect because even if an SSID is “cloaked,” that doesn’t mean it’s actually hidden; all it means is that it is not broadcast. The SSID is still contained in every single packet sent from the AP, and discovering it is easy enough.
10. Which wireless standard is designed to work at 54 Mbps on a frequency range of 2.4 GHz?
A. 802.11a
B. 802.11b
C. 802.11g
D. 802.11n
C. The 802.11 series of standards identifies all sorts of wireless goodies, such as the order imposed on how clients communicate, rules for authentication, data transfer, size of packets, how the messages are encoded into the signal, and so on. 802.11g combines the advantages of both the “a” and “b” standards without as many of the drawbacks. It’s fast (at 54 Mbps), is backward compatible with 802.11b clients, and doesn’t suffer from the coverage area restrictions 802.11a has to contend with. Considering it operates in the 2.4GHz range, however, there may be some interference issues to deal with. Not only are a plethora of competing networks blasting their signals (sometimes on the same channel) near and around your network, but you also have to consider Bluetooth devices, cordless phones, and even baby monitors that may cause disruption (due to interference) of wireless signals. And microwave ovens happen to run at 2.45 GHz—right smack dab in the middle of the range.
A is incorrect because 802.11a operates at 54 Mbps but uses the 5GHz frequency range. The big drawback to 802.11a was the frequency range itself—because of the higher frequency, network range was limited. Whereas 802.11b clients could be spread across a relative large distance, 802.11a clients could communicate much faster but had to be closer together. Combined with the increased cost of equipment, this contributed to 802.11a not being fully accepted as a de facto standard. That said, for security purposes, it may not be a bad choice. Not as many people use it, or even look for it, and its smaller range may work to assist you in preventing spillage outside your building.
B is incorrect because 802.11b operates at 11 Mbps on the 2.4GHz frequency range. It’s slower than “a” and “g,” but soon after its release it became the de facto standard for wireless. Price and network range contributed to this.
D is incorrect because 802.11n works at 100 Mbps (+) in frequency ranges from 2.4 to 5 GHz. It achieves this rate using multiple in, multiple out (MIMO) antennas.
11. The team has discovered an access point configured with WEP encryption. What is needed to perform a fake authentication to the AP in an effort to crack WEP? (Choose all that apply.)
A. A replay of a captured authentication packet
B. The IP address of the AP
D. The SSID
C, D. Cracking WEP generally comes down to capturing a whole bunch of packets and running a little math magic to crack the key. If you want to generate traffic by sending fake authentication packets to the AP, you need the AP’s MAC address and the SSID to make the attempt.
A and B are incorrect because this information is not needed for a fake authentication packet. Sure, you can capture and replay an entire authentication packet, but it won’t do much good, and the IP is not needed at all.
12. Which of the tools listed here is a passive discovery tool?
A. Aircrack
B. Kismet
C. NetStumbler
D. Netsniff
B. A question like this one can be a little tricky, depending on its wording; however, per the EC-Council, Kismet works as a true passive network discovery tool, with no packet interjection whatsoever. The following is from www.kismetwireless.net: “Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also supports plugins which allow sniffing other media.” You might also see two other interesting notables about Kismet on your exam: First, it works by channel hopping, which means to discover as many networks as possible. Second, it has the ability to sniff packets and save them to a log file, readable by Wireshark or TCPDump.
A is incorrect because Aircrack is “an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack” (http://www.aircrack-ng.org).
C is incorrect because NetStumbler is considered an active network discovery application. NetStumbler is among the most popular wireless tools you might see in anyone’s arsenal.
D is incorrect because Netsniff is included as a distractor and is not a valid tool.
13. You have discovered an access point using WEP for encryption purposes. Which of the following is the best choice for uncovering the network key?
A. NetStumbler
B. Aircrack
C. John the Ripper
D. Kismet
B. Aircrack is a fast tool for cracking WEP. You’ll need to gather a lot of packets (assuming you’ve collected at least 50,000 packets or so, it’ll work swimmingly fast) using another toolset, but once you have them together, Aircrack does a wonderful job cracking the key. One method Aircrack uses that you may see referenced on the exam is KoreK implementation, which basically involves slicing bits out of packets and replacing them with guesses—the more this is done, the better the guessing and, eventually, the faster the key is recovered. Other tools for cracking WEP include Cain (which can also use KoreK), KisMac, WEPCrack, and Elcomsoft’s Wireless Security Auditor tool.
A is incorrect because NetStumbler is a network discovery tool. It can also be used to identify rogue access points and interference and is also useful in measuring signal strength (for aiming antennas and such).
C is incorrect because John the Ripper is a Linux-based password-cracking tool, not a wireless key discovery one.
D is incorrect because Kismet is a passive network discovery (and other auditing) tool but does not perform key cracking.
14. Which of the following statements are true regarding TKIP? (Choose all that apply.)
A. Temporal Key Integrity Protocol forces a key change every 10,000 packets.
B. Temporal Key Integrity Protocol ensures keys do not change during a session.
C. Temporal Key Integrity Protocol is an integral part of WEP.
D. Temporal Key Integrity Protocol is an integral part of WPA.
A, D. TKIP is a significant step forward in wireless security. Instead of sticking with one key throughout a session with a client and reusing it, as occurred in WEP, Temporal Key Integrity Protocol changes the key out every 10,000 packets or so. Additionally, the keys are transferred back and forth during an Extensible Authentication Protocol (EAP) authentication session, which makes use of a four-step handshake process in proving the client belongs to the AP, and vice versa. TKIP came about in WPA.
B and C are simply incorrect statements. TKIP does not maintain a single key, it changes the key frequently, and it is part of WPA (and WPA2), not WEP.
15. Regarding SSIDs, which of the following are true statements? (Choose all that apply.)
A. SSIDs are always 32 characters in length.
B. SSIDs can be up to 32 characters in length.
C. Turning off broadcasting prevents discovery of the SSID.
D. SSIDs are part of every packet header from the AP.
E. SSIDs provide important security for the network.
F. Multiple SSIDs are needed to move between APs within an ESS.
B, D. Service set identifiers have only one real function in life, so far as you’re concerned on this exam: identification. They are not a security feature in any way, shape, or form, and they are designed solely to identify one access point’s network from another’s—which is part of the reason they’re carried in all packets. SSIDs can be up to 32 characters in length but don’t have to be that long (in fact, you’ll probably discover most of them are not).
A is incorrect because SSIDs do not have to be 32 characters in length. They can be, but they do not have to fill 32 characters of space.
C is incorrect because “cloaking” the SSID really doesn’t do much at all. It’s still part of every packet header, so discovery is relatively easy.
E is incorrect because SSIDs are not considered a security feature for wireless networks.
F is incorrect because an extended service set (ESS; an enterprise-wide wireless network consisting of multiple APs) requires only a single SSID that all APs work with.
16. You are discussing WEP cracking with a junior pen test team member. Which of the following are true statements regarding the initialization vectors? (Choose all that apply.)
A. IVs are 32 bits in length.
B. IVs are 24 bits in length.
C. IVs get reused frequently.
D. IVs are sent in clear text.
E. IVs are encrypted during transmission.
F. IVs are used once per encryption session.
B, C, D. Weak initialization vectors and poor encryption are part of the reason WEP implementation is not encouraged as a true security measure on wireless networks. And, let’s be fair here, it was never truly designed to be, which is why it’s named Wired Equivalent Privacy instead of Wireless Encryption Protocol (as some have erroneously tried to name it). IVs are 24 bits in length, are sent in clear text, and are reused a lot. Capture enough packets, and you can easily crack the code.
A, E, and F are incorrect statements. IVs are not 32 bits in length, are not encrypted themselves, and are definitely not used once per session (that would be even worse than being reused).
17. A pen test member has configured a wireless access point with the same SSID as the target organization’s SSID and has set it up inside a closet in the building. After some time, clients begin connecting to his access point. Which of the following statements are true regarding this attack? (Choose all that apply.)
A. The rogue access point may be discovered by security personnel using NetStumbler.
B. The rogue access point may be discovered by security personnel using NetSurveyor.
C. The rogue access point may be discovered by security personnel using Kismet.
D. The rogue access point may be discovered by security personnel using Aircrack.
E. The rogue access point may be discovered by security personnel using ToneLoc.
A, B, C. Rogue access points (sometimes called evil twin attacks) can provide an easy way to gain useful information from clueless users on a target network. However, be forewarned, security personnel can use multiple tools and techniques to discover rogue APs. NetStumbler is one of the more popular, and useful, tools available. It’s a great network discovery tool that can also be used to identify rogue access points, network interference, and signal strength. Kismet, another popular tool, provides many of the same features and is noted as a “passive” network discovery tool. NetSurveyor is a free, easy-to-use Windows-based tool that provides many of the same features as NetStumbler and Kismet and works with virtually every wireless NIC in modern existence. A “professional” version of NetSurveyor is now available (you get ten uses of it before you’re required to buy a license). Lastly, identifying a rogue access point requires the security staff to have knowledge of every access point owned—and its MAC. If it’s known there are ten APs in the network and suddenly an 11th appears, that alone won’t help find and disable the bad one. It takes some level of organization to find these things, and that plays into your hands as an ethical hacker. The longer your evil twin is left sitting there, the better chance it will be found, so keep it short and sweet.
D is incorrect because Aircrack is used to crack network encryption codes, not to identify rogue access points.
E is incorrect because ToneLoc is a tool used for war dialing (identifying open modems within a block of phone numbers). As an aside, this was also the moniker for a 1980s one-hit-wonder rapper, although I can promise that won’t be on your exam.
18. A pen test member is running the Airsnarf tool from a Linux laptop. What is she attempting?
A. MAC flooding against an AP on the network
B. Denial-of-service attacks against APs on the network
C. Cracking network encryption codes from the WEP AP
D. Stealing usernames and passwords from an AP
D. Identifying tools and what they do is a big part of the exam—which is easy enough because it’s pure memorization, and this is a prime example. Per the website (http://airsnarf.shmoo.com/), “Airsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public wireless hotspots. Airsnarf was developed and released to demonstrate an inherent vulnerability of public 802.11b hotspots—snarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing AP.” It basically turns your laptop into a competing AP in the local area and confuses client requests into being sent your way.
A is incorrect because Airsnarf does not provide MAC flooding. You may want to MAC flood a network switch for easier sniffing, but that doesn’t work the same way for an access point on a wireless network.
B is incorrect because Airsnarf is not a DoS tool. You can make an argument the clients themselves are denied service while they’re erroneously communicating with the Airsnarf laptop, but it’s not the intent of the application to perform a DoS attack on the network. Quite the opposite: the longer things stay up and running, the more usernames and passwords that can be gathered.
C is incorrect because Airsnarf is not an encryption-cracking tool. It reads a lot like “Aircrack,” so don’t get confused (these will be used as distractors against one another on your exam).
19. What frequency does Bluetooth operate in?
A. 2.4–2.48 GHz
B. 2.5 GHz
C. 2.5–5 GHz
D. 5 GHz
A. Yes, you may actually get a question this “down in the weeds” regarding Bluetooth. As an additional study note, you will commonly see a reference to Bluetooth working at 2.45 GHz (the FCC reserves certain frequency ranges for public access, and this is in the range; check http://reboot.fcc.gov/spectrumdashboard/searchSpectrum.seam?conversationId=4494.com for more details). Bluetooth is designed to work within a ten-meter range and can attach up to eight devices simultaneously. It makes use of something called spread-spectrum frequency hopping, which significantly reduces the chance that more than one device will use the same frequency in communicating.
Want more inane knowledge you might get quizzed on out of the blue? You may see a question regarding something called the “phase-shift key” (PSK) used in Bluetooth 2.0 (and other wireless communication methods). Bluetooth 2.0 EDR uses 8DPSK and a really weird one called π/4-DQPSK. They’re both digital modulation used in transmission of data. Others in use with wireless communication include Binary PSK (BPSK; used in RFID-type cards), Quadrature PSK (QPSK; used for CDMA cellular and 802.11B communications), and Differential BPSK (DBPSK; also used in 802.11b networking).
B, C, and D are incorrect frequency ranges for Bluetooth.
20. What is the integrity check mechanism for WPA2?
A. CBC-MAC
B. CCMP
C. RC4
D. TKIP
A. If you’ve not done your reading and study, this one could be quite tricky. WPA2 uses CCMP as its encryption protocol, and CCMP uses CBC-MAC for authentication and integrity. Counter Mode CBC-MAC Protocol is an encryption protocol specifically designed for 802.11i wireless networking. CCMP uses CBC-MAC for authentication and integrity. As for how it exactly provides for integrity, the true techo-babble answer is very long and confusing, but the short of it is this: the message is encrypted with a block cipher, and the encryption of each block in the chain is dependent on the encryption value of the block in front of it. In other words, if block 2 is altered in any way, then decryption of blocks 3, 4, and so on becomes impossible. One final note on CCMP for your study and memory: CCMP is based on AES processing and uses a 128-bit key and a 128-bit block size, and ECC sometimes refers to it as AES-CCMP.
B is incorrect because CCMP is the encryption protocol that makes use of CBC-MAC.
C is incorrect because RC4 is an encryption algorithm used by WEP.
D is incorrect because Temporal Key Integrity Protocol is used in WPA.
21. Jack receives a text message on his phone advising him of a major attack at his bank. The message includes a link to check his accounts. After clicking the link, an attacker takes control of his accounts in the background. Which of the following attacks is Jack facing?
A. Phishing
B. Smishing
C. Vishing
D. App sandboxing
B. Smishing is the term given to a mobile device attack whereby an attacker sends an SMS text message to a target with an embedded link. If the user clicks the malicious link, the attacker gains valuable information and control. These attacks are successful for largely the same reasons phishing is so effective in the e-mail world—people just click through sometimes without pausing to think about it. Users who would otherwise ignore an e-mail with a link in it from an unknown (or even known) source sometimes don’t think twice when the link is in a text message.
A is incorrect because the term phishing refers to e-mail messaging and works in much the same way as smishing.
C is incorrect because vishing is a term referring to the use of phone calls and voice messaging to carry out an attack.
D is incorrect because app sandboxing is not an attack on its own: it’s a security measure designed to limit resources an application can access on a mobile device.
22. Which of the following allows an Android user to attain privileged control of the device?
A. DroidSheep
B. SuperOneClick
D. ZitMo
B. Rooting of an Android device is the same idea as jailbreaking an iOS one: allowing the user total control over the device to add applications, modify system files and actions, and (in some cases and usually risking security to do so) improve performance. Rooting can be done in a variety of methods, but some tools you can use are SuperOneClick, Superboot, One Click Root, and Kingo. In SuperOneClick, you simply connect the phone to a system over USB (ensuring it’s in charge mode only), enable USB Debugging, and run the application.
A is incorrect because DroidSheep is a tool used for session hijacking on Android devices. It can extract session IDs and sidejack on WEP, WPA, and WPA2 networks.
C is incorrect because Faceniff is a sniffer for Android, designed to sniff and intercept web profiles.
D is incorrect because ZitMo (Zeus-in-the-Mobile) is a banking Trojan. ZitMo can even enable bot-like control and command for attackers over the infected device.
23. Which of the following is a true statement regarding wireless security?
A. WPA2 is a better encryption choice than WEP.
B. WEP is a better encryption choice than WPA2.
C. Cloaking the SSID and implementing MAC filtering eliminate the need for encryption.
D. Increasing the length of the SSID to its maximum increases security for the system.
A. WPA2 is, by far, a better security choice for your system. It makes use of TKIP, to change out the keys every 10,000 packets instead of using one for the entire session (as in WEP). Additionally, WPA2 uses AES for encryption and a 128-bit encryption key, as opposed to RC4 and 24-bit IVs in WEP.
B is incorrect because WEP only provides the equivalent privacy of being on a wired network. Its “encryption” is ridiculously easy to crack and is not considered a valid security measure. It’s perfectly reasonable to use it if your goal is just to frustrate causal surfers from connecting to your network (such as your neighbors), but it’s not a valid encryption method.
C is incorrect because these two options do nothing to protect the actual data being transmitted. SSID cloaking is somewhat pointless, given that SSIDs are included in every header of every packet (not to mention that SSIDs aren’t designed for security). MAC filtering will frustrate casual observers; however, spoofing a MAC address on the network is relatively easy and eliminates this as a foolproof security method.
D is incorrect because the length of an SSID has nothing whatsoever to do with security and encryption. Increasing the length of the SSID does not increase network security.
24. A pen test colleague is attempting to use a wireless connection inside the target’s building. On his Linux laptop he types the following commands:
What is the most likely reason for this action?
A. Port security is enabled on the access point.
B. The SSID is cloaked from the access point.
C. MAC filtering is enabled on the access point.
D. Weak signaling is frustrating connectivity to the access point.
C. The sequence of the preceding commands has the attacker bringing the wireless interface down, changing its hardware address, and then bringing it back up. The most likely reason for this is MAC filtering is enabled on the AP, which is restricting access to only those machines the administrator wants connecting to the wireless network. The easy way around this is to watch traffic and copy one of the MAC addresses. A quick spoof on your own hardware and—voilà—you’re connected. As an aside, MAC spoofing isn’t just for the wireless world. The command would be slightly different (wlan0 refers to a wireless NIC; eth0 would be an example of a wired port), but the idea is the same.
A is incorrect because port security isn’t an option on wireless access points. Were this attacker connecting to a switch, this might be valid, but not on a wireless connection.
B is incorrect because SSID cloaking has nothing to do with this scenario. The commands are adjusting a MAC address.
D is incorrect because weak signal strength has nothing to do with this scenario. The commands are adjusting a MAC address.
25. An individual attempts to make a call using his cell phone; however, it seems unresponsive. After a few minutes of effort, he turns it off and turns it on again. During his next phone call, the phone disconnects and becomes unresponsive again. Which Bluetooth attack is underway?
A. Bluesmacking
B. Bluejacking
C. Bluesniffing
D. Bluesnarfing
A. From the description, it appears the phone is either defective or—since it’s spelled out so nicely in the question for you—there is a denial-of-service attack against the phone. Bluesmacking is a denial-of-service attack on a Bluetooth device. An attacker somewhere nearby (within ten meters or, for the real bad guys, farther away using a big enough transmitter, amplifier, and antenna) is using something like the Linux Bluez packages (http://www.bluez.org) to carry out a DoS against the phone.
B is incorrect because bluejacking involves sending unsolicited messages—much like spam—to a Bluetooth device.
C is incorrect because bluesniffing is a basic sniffing attempt, where the device’s transmissions are sniffed for useful information.
D is incorrect because bluesnarfing refers to the actual theft of data directly from the device. This takes advantage of the “pairing” feature of most Bluetooth devices, willingly seeking out other devices to link up with.
26. Which of the following is a pairing mode in Bluetooth that rejects every pairing request?
A. Non-pairing
B. Non-discoverable
C. Promiscuous
D. Bluejack
A. When you get a simple question on the exam, celebrate. Bluetooth has two pairing modes and three discovery modes. Pairing—the decision to pair with another device requesting it—is either turned on (pairing mode, where every request is accepted) or off (non-pairing mode, where every request is rejected). Discovery—the decision to respond to search requests and let the inquiry know the device is live and available—can be fully on (discoverable mode, responding to everything from everyone), partially on (limited-discoverable mode, responding only during a short time span), or off altogether (never answering an inquiry).
B is incorrect because non-discoverable is a discovery mode, not a pairing one.
C is incorrect because promiscuous has no meaning in this context.
D is incorrect because bluejack refers to a Bluetooth attack where an attacker can leverage the target phone’s contacts, resulting in anonymous, unsolicited message transmission to targets).