Chapter 25 Quiz: Wireless Network Attacks

Test your understanding of wireless security protocols, attack techniques, and defensive measures.

Question 1: Why is WEP encryption considered fundamentally broken?

A) It uses too long of an encryption key B) Its 24-bit Initialization Vector space is too small, leading to IV reuse and statistical attacks on the RC4 keystream C) It requires too much computational power to encrypt D) It was never standardized by IEEE

Correct Answer: B

Explanation: WEP's 24-bit IV provides only 16.7 million possible values, which are exhausted quickly on busy networks. IV reuse with the same key in RC4 allows statistical attacks (FMS, PTW) that recover the key. Combined with weak key scheduling and lack of key management, WEP can be cracked in minutes regardless of key length.

Question 2: What information is needed to perform an offline dictionary attack against a WPA2-PSK network?

A) Only the network SSID B) A captured four-way handshake or PMKID C) The MAC address of the access point D) The IP address range of the network

Correct Answer: B

Explanation: To perform an offline dictionary attack against WPA2-PSK, the attacker needs either a captured four-way handshake (containing the ANonce, SNonce, MAC addresses, and MIC) or a PMKID. These allow the attacker to compute candidate PMKs from dictionary words and verify them against the captured data without interacting with the network.

Question 3: How does the PMKID attack differ from traditional WPA2 handshake cracking?

A) PMKID requires more captured packets B) PMKID can be captured without any clients connected and without deauthentication C) PMKID only works against WPA3 networks D) PMKID requires physical access to the access point

Correct Answer: B

Explanation: The PMKID attack captures the Pairwise Master Key Identifier from the first message of the four-way handshake, sent by the AP. This means no client needs to be connected, and no deauthentication is required. The attacker simply sends an authentication request to the AP and captures its response containing the PMKID.

Question 4: What does the KRACK attack exploit?

A) A weakness in the AES encryption algorithm B) The retransmission and reinstallation of keys during the WPA2 four-way handshake C) A buffer overflow in wireless drivers D) Weak passwords in WPA2-PSK networks

Correct Answer: B

Explanation: KRACK (Key Reinstallation Attack) exploits the retransmission of message 3 in the four-way handshake. When the client reinstalls the key, it resets the nonce and replay counter, violating the cryptographic requirement that nonces never be reused with the same key. This enables packet decryption and, in some implementations (TKIP, GCMP), packet forging.

Question 5: What improvement does WPA3's SAE (Simultaneous Authentication of Equals) provide over WPA2-PSK?

A) Faster authentication B) Resistance to offline dictionary attacks and forward secrecy C) Support for longer passwords D) Backward compatibility with WEP

Correct Answer: B

Explanation: SAE uses the Dragonfly key exchange, which provides resistance to offline dictionary attacks (each password guess requires online interaction) and forward secrecy (compromising the passphrase does not enable decryption of previously captured traffic). WPA2-PSK's four-way handshake allows unlimited offline guessing and does not provide forward secrecy.

Question 6: What were the Dragonblood vulnerabilities?

A) Flaws in WPA2's CCMP encryption B) Side-channel and downgrade attacks against WPA3's SAE handshake C) Buffer overflows in wireless access point firmware D) Weaknesses in WPA3's management frame protection

Correct Answer: B

Explanation: Dragonblood (discovered by Vanhoef and Ronen in 2019) revealed timing side-channel attacks against SAE's hash-to-curve process, downgrade attacks against WPA3's transition mode, denial-of-service through forged commit messages, and group downgrade attacks. These vulnerabilities undermined some of WPA3's security promises but were addressed through implementation updates.

Question 7: In the context of wireless security, what is monitor mode?

A) A mode that monitors network performance metrics B) A mode that allows a wireless adapter to capture all wireless frames on a channel, not just those addressed to it C) A mode that monitors for rogue access points D) A mode that limits the adapter to monitoring only one network

Correct Answer: B

Explanation: Monitor mode (rfmon) disables the filtering that normally causes a wireless adapter to process only frames addressed to it. In monitor mode, the adapter captures all wireless frames on the selected channel, including management frames, control frames, and data frames from any network. This is essential for wireless security testing.

Question 8: What is an evil twin attack?

A) Connecting two access points together to amplify signal B) Creating a rogue access point that impersonates a legitimate network to lure clients C) Using two wireless adapters simultaneously for faster cracking D) Attacking two networks at the same time

Correct Answer: B

Explanation: An evil twin attack involves creating a rogue access point with the same SSID (and sometimes BSSID) as a legitimate network. Clients that connect to the rogue AP have their traffic routed through the attacker's system, enabling credential capture, man-in-the-middle attacks, and other exploitation. The attacker typically uses deauthentication to force clients off the legitimate AP.

Question 9: Which Bluetooth vulnerability allowed remote code execution without pairing or user interaction?

A) BlueSnarfing B) KNOB C) BlueBorne D) BIAS

Correct Answer: C

Explanation: BlueBorne (2017) was a set of vulnerabilities in Bluetooth implementations across Android, iOS, Windows, and Linux that allowed remote code execution without pairing, user interaction, or the target device being in discoverable mode. It was also wormable, meaning it could spread from device to device.

Question 10: Why is hiding the SSID (not broadcasting it) not an effective security measure?

A) It causes performance issues B) Hidden SSIDs are revealed whenever a client connects, sends probe requests, or responds to directed probes C) Most operating systems cannot connect to hidden networks D) It is prohibited by the 802.11 standard

Correct Answer: B

Explanation: SSID hiding merely removes the SSID from beacon frames. However, the SSID is transmitted in probe requests, probe responses, association requests, and reassociation requests. Any client connecting to the hidden network reveals the SSID. Tools like airodump-ng trivially discover hidden SSIDs by capturing these frames.

Question 11: What is the primary difference between WPA2-Personal and WPA2-Enterprise?

A) WPA2-Enterprise uses stronger encryption B) WPA2-Personal uses a shared passphrase for all users; WPA2-Enterprise authenticates each user individually via a RADIUS server C) WPA2-Enterprise is faster D) WPA2-Personal is more secure

Correct Answer: B

Explanation: WPA2-Personal (PSK) uses a single shared passphrase for all users, deriving a common PMK. WPA2-Enterprise (802.1X) authenticates each user individually through a RADIUS server, providing per-user encryption keys, centralized credential management, certificate-based authentication options, and the ability to revoke individual user access without changing the shared secret.

Question 12: Which tool is specifically designed for BLE (Bluetooth Low Energy) sniffing?

A) aircrack-ng B) Sniffle C) Wireshark D) Nmap

Correct Answer: B

Explanation: Sniffle is a modern BLE sniffer designed for the Texas Instruments CC1352/CC26x2 hardware platforms. While Wireshark can analyze BLE captures, it requires a capture tool to provide the data. Aircrack-ng is for Wi-Fi, and Nmap is a network scanner. Other BLE-specific tools include Ubertooth One and Btlejack.

Question 13: What does 802.11w (Protected Management Frames) protect against?

A) Password cracking B) Deauthentication and disassociation attacks by authenticating management frames C) Evil twin attacks D) WEP vulnerabilities

Correct Answer: B

Explanation: 802.11w (PMF) adds cryptographic protection to management frames, including deauthentication and disassociation frames. Without PMF, an attacker can send forged deauthentication frames to disconnect clients from the network. With PMF enabled, these frames are authenticated, preventing forgery. PMF is mandatory in WPA3.

Question 14: In the TJX breach, how did attackers initially access the company's network?

A) Through a phishing email B) By exploiting WEP-encrypted wireless networks at retail stores C) Through a SQL injection in the website D) By physically accessing a server room

Correct Answer: B

Explanation: The TJX attackers exploited the company's WEP-encrypted wireless networks at retail locations. They captured wireless traffic from nearby locations (parking lots), cracked the WEP encryption, and gained access to the company's internal network. From there, they compromised the payment processing infrastructure, ultimately stealing over 94 million credit and debit card numbers.

Question 15: What is a KARMA attack?

A) An attack on WPA3 networks B) A rogue AP that responds to all client probe requests, claiming to be whatever network the client is looking for C) A denial-of-service attack against wireless networks D) An attack on Bluetooth connections

Correct Answer: B

Explanation: KARMA (Karma Attack Radio Masquerading as Access-point) exploits clients' tendency to probe for previously connected networks. A KARMA-enabled AP monitors probe requests and responds to all of them, claiming to be the requested network. This tricks clients into connecting to the rogue AP automatically, enabling man-in-the-middle attacks.

Question 16: Which frequency band does Bluetooth operate in?

A) 900 MHz B) 2.4 GHz ISM band C) 5 GHz D) 6 GHz

Correct Answer: B

Explanation: Bluetooth operates in the 2.4 GHz Industrial, Scientific, and Medical (ISM) band, the same band used by Wi-Fi (802.11b/g/n). Bluetooth uses frequency hopping spread spectrum (FHSS) across 79 channels (classic) or 40 channels (BLE) within this band.

Question 17: What is the recommended minimum passphrase length for a WPA2-PSK network to resist offline dictionary attacks?

A) 8 characters (the minimum required) B) 12 characters C) 20+ characters with random composition D) Any length is equally secure with WPA2

Correct Answer: C

Explanation: While WPA2 requires a minimum of 8 characters, this is far too short to resist modern GPU-accelerated cracking. Security researchers recommend 20+ characters of random composition for WPA2-PSK networks. At this length, even powerful GPU clusters cannot feasibly crack the password. Alternatively, WPA2-Enterprise eliminates the PSK attack surface entirely.

Question 18: Which of the following best describes the non-overlapping channels in the 2.4 GHz Wi-Fi band (in North America)?

A) Channels 1, 3, 5 B) Channels 1, 6, 11 C) Channels 1, 5, 10 D) All 11 channels are non-overlapping

Correct Answer: B

Explanation: In the 2.4 GHz band, each Wi-Fi channel is 22 MHz wide, but channels are spaced only 5 MHz apart. This means adjacent channels overlap and interfere with each other. Only channels 1, 6, and 11 are spaced far enough apart to avoid interference, making them the standard non-overlapping channel set used in North America.