A security technician is attempting to access a wireless network protected with WEP. The technician does not know any information about the network. Which of the following should the technician do to gather information about the configuration of the wireless network?
A. Spoof the MAC address of an observed wireless network client B. Ping the access point to discover the SSID of the network C. Perform a dictionary attack on the access point to enumerate the WEP key D. Capture client to access point disassociation packets to replay on the local PC’s loopback
Answer: A
Explanation: With ARP spoofing (also known as ARP poisoning), the MAC (Media Access Control) address of the data is faked. By faking this value, it is possible to make it look as if the data came from a network that it did not. This can be used to gain access to the network, to fool the router into sending data here that was intended for another host, or to launch a DoS attack. In all cases, the address being faked is an address of a legitimate user, and that makes it possible to get around such measures as allow/deny lists. Note: As an example, the initialization vector (IV) that WEP uses for encryption is 24-bit, which is quite weak and means that IVs are reused with the same key. By examining the repeating result, it was easy for attackers to crack the WEP secret key. This is known as an IV attack.
After a recent breach, the security administrator performs a wireless survey of the corporate network. The security administrator notices a problem with the following output: MACSSIDENCRYPTIONPOWERBEACONS 00:10:A1:36:12:CCMYCORPWPA2 CCMP601202 00:10:A1:49:FC:37MYCORPWPA2 CCMP709102 FB:90:11:42:FA:99MYCORPWPA2 CCMP403031 00:10:A1:AA:BB:CCMYCORPWPA2 CCMP552021 00:10:A1:FA:B1:07MYCORPWPA2 CCMP306044 Given that the corporate wireless network has been standardized, which of the following attacks is underway?
A. Evil twin B. IV attack C. Rogue AP D. DDoS
Answer: A
Explanation: The question states that the corporate wireless network has been standardized. By ‘standardized’ it means the wireless network access points are running on hardware from the same vendor. We can see this from the MAC addresses used. The first half of a MAC address is vendor specific.
The second half is network adapter specific. We have four devices with MAC addresses that start with 00:10:A1. The “odd one out” is the device with a MAC address starting FB:90:11. This device is from a different vendor. The SSID of the wireless network on this access point is the same as the other legitimate access points. Therefore, the access point with a MAC address starting FB:90:11 is impersonating the corporate access points. This is known as an Evil Twin.
An evil twin, in the context of network security, is a rogue or fake wireless access point (WAP) that appears as a genuine hotspot offered by a legitimate provider. In an evil twin attack, an eavesdropper or hacker fraudulently creates this rogue hotspot to collect the personal data of unsuspecting users. Sensitive data can be stolen by spying on a connection or using a phishing technique. For example, a hacker using an evil twin exploit may be positioned near an authentic Wi-Fi access point and discover the service set identifier (SSID) and frequency. The hacker may then send a radio signal using the exact same frequency and SSID. To end users, the rogue evil twin appears as their legitimate hotspot with the same name. In wireless transmissions, evil twins are not a new phenomenon. Historically, they were known as honeypots or base station clones. With the advancement of wireless technology and the use of wireless devices in public areas, it is very easy for novice users to set up evil twin exploits.
Which of the following means of wireless authentication is easily vulnerable to spoofing?
A. MAC Filtering B. WPA – LEAP C. WPA – PEAP D. Enabled SSID
Answer: A
Explanation: Each network interface on your computer or any other networked device has a unique MAC address. These MAC addresses are assigned in the factory, but you can easily change, or “spoof,” MAC addresses in software.
Networks can use MAC address filtering, only allowing devices with specific MAC addresses to connect to a network. This isn’t a great security tool because people can spoof their MAC addresses.
Which of the following BEST describes the type of attack that is occurring? (Select TWO).
A. DNS spoofing B. Man-in-the-middle C. Backdoor D. Replay E. ARP attack F. Spear phishing G. Xmas attack
Answer: A,E
Explanation: We have a legit bank web site and a hacker bank web site. The hacker has a laptop connected to the network. The hacker is redirecting bank web site users to the hacker bank web site instead of the legit bank web site. This can be done using two methods: DNS Spoofing and ARP Attack (ARP Poisoning).
A: DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver’s cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker’s computer (or any other computer). A domain name system server translates a human-readable domain name (such as example.com) into a numerical IP address that is used to route communications between nodes. Normally if the server doesn’t know a requested translation it will ask another server, and the process continues recursively. To increase performance, a server will typically remember (cache) these translations for a certain amount of time, so that, if it receives another request for the same translation, it can reply without having to ask the other server again. When a DNS server has received a false translation and caches it for performance optimization, it is considered poisoned, and it supplies the false data to clients. If a DNS server is poisoned, it may return an incorrect IP address, diverting traffic to another computer (in this case, the hacker bank web site server).
E: Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer’s ARP cache with a forged ARP request and reply packets. This modifies the layer -Ethernet MAC address into the hacker’s known MAC address to monitor it. Because the ARP replies are forged, the target computer unintentionally sends the frames to the hacker’s computer first instead of sending it to the original destination. As a result, both the user’s data and privacy are compromised. An effective ARP poisoning attempt is undetectable to the user. ARP poisoning is also known as ARP cache poisoning or ARP poison routing (APR).
Which of the following wireless security measures can an attacker defeat by spoofing certain properties of their network interface card?
A. WEP B. MAC filtering C. Disabled SSID broadcast D. TKIP
Answer: B
Explanation: MAC filtering is typically used in wireless networks. In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that he or she would use to access the network. While giving a wireless network some additional protection, MAC filtering can be circumvented by scanning a valid MAC (via airodumping) and then spoofing one’s own MAC into a validated one.
Ann, the network administrator, is receiving reports regarding a particular wireless network in the building. The network was implemented for specific machines issued to the developer department, but the developers are stating that they are having connection issues as well as slow bandwidth. Reviewing the wireless router’s logs, she sees that devices not belonging to the developers are connecting to the access point. Which of the following would BEST alleviate the developer’s reports?
A. Configure the router so that wireless access is based upon the connecting device’s hardware address. B. Modify the connection’s encryption method so that it is using WEP instead of WPA2. C. Implement connections via secure tunnel with additional software on the developer’s computers. D. Configure the router so that its name is not visible to devices scanning for wireless networks.
Answer: A
Explanation: MAC addresses are also known as an Ethernet hardware address (EHA), hardware address or physical address. Enabling MAC filtering would allow for a WAP to restrict or allow access based on the hardware address of the device.
Peter, the security engineer, would like to prevent wireless attacks on his network. Peter has implemented a security control to limit the connecting MAC addresses to a single port. Which of the following wireless attacks would this address?
A. Interference B. Man-in-the-middle C. ARP poisoning D. Rogue access point
Answer: D
Explanation: MAC filtering is typically used in wireless networks. In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists.
In this question, a rogue access point would need to be able to connect to the network to provide access to network resources. If the MAC address of the rogue access point isn’t allowed to connect to the network port, then the rogue access point will not be able to connect to the network.
Ann, a sales manager, successfully connected her company-issued smartphone to the wireless network in her office without supplying a username/password combination. Upon disconnecting from the wireless network, she attempted to connect her personal tablet computer to the same wireless network and could not connect. Which of the following is MOST likely the reason?
A. The company wireless is using a MAC filter. B. The company wireless has SSID broadcast disabled. C. The company wireless is using WEP. D. The company wireless is using WPA2.
Answer: A
Explanation: MAC filtering allows you to include or exclude computers and devices based on their MAC address.
After entering the following information into a SOHO wireless router, a mobile device’s user reports being unable to connect to the network: PERMIT 0A: D1: FA. B1: 03: 37 DENY 01: 33: 7F: AB: 10: AB Which of the following is preventing the device from connecting?
A. WPA2-PSK requires a supplicant on the mobile device. B. Hardware address filtering is blocking the device. C. TCP/IP Port filtering has been implemented on the SOHO router. D. IP address filtering has disabled the device from connecting.
Answer: B
Explanation: MAC filtering allows you to include or exclude computers and devices based on their MAC address.