Many tools are available to the hacker for attacking and scanning WLANs. One of these tools that is valuable to an ethical hacker is NetStumbler.
1.1. Using NetStumbler
In this challenge exercise, you will use NetStumbler to scan for available wireless access points. You will need a laptop and wireless card to complete the exercise.
Estimated Time: 15 minutes.
Exam Prep Questions
Toby is concerned that some of the workers in the R&D facility have been asking about wireless networking. After discussing this with the plant's security manager, Toby gets approval to implement a policy that does not allow any wireless access. What else does Toby need to do besides create the policy. (Choose 2 answers.)
Pablo has set up a Linux PC with Airsnarf that he is planning to take down to the local coffee shop. What type of activity is he planning?
Which method of transmission hops between subchannels sending out short bursts of data on each subchannel for a short period of time?
At what frequency does Bluetooth operate?
You have enabled MAC filtering at the wireless access point. Which of the following is most correct?
After reading an online article about wireless security, Jay attempts to lock down the wireless network by turning off the broadcast of the SSID and changing its value. Jay's now frustrated when he realizes that unauthorized users are still connecting. What is wrong?
Which of the following is a wireless DoS tool?
Which of the following is the best option to prevent hackers from sniffing your information on the wired portion of your network?
Which of the following versions of EAP types only uses a password hash for client authentication?
WPA2 uses which of the following encryption standards?
The initialization vector for WEP was originally how long?
This version of 802.11 wireless operates at the 5.7255.825GHz range.
Although WEP is a good first start at securing wireless LAN communication, it has been widely reported as having vulnerabilities. Which of the following is one of the primary reasons that WEP is vulnerable?
WEP uses which of the following types of encryption?
Ron would like your advice on a wireless WEP cracking tool that can save him time and get him better results with fewer packets. Which of the following tools would you recommend?
Answers to Exam Questions
1. B. and D. Toby should provide employee awareness activities to make sure that employees know about the new policy and perform periodic site surveys to test for rogue access points. Answer A is incorrect, as disabling SNMP would have no effect because SNMP is used for network management. Answer C is incorrect because using a magnetron to build an 802.11 wireless jamming device could jam more than just wireless network devices, be a danger to those around it, and have an uncontrolled range.
2. B. Airsnarf is a rogue access point program that can be used to steal usernames and passwords from public wireless hotspots. Answers A, C, and D are incorrect because he is not attempting a DoS attack, Airsnarf will not detect rogue access points, and it is not used to perform site surveys.
3. D. Frequency-hopping spread spectrum hops between subchannels and sends out short bursts of data on each subchannel for a short period of time. Answer A is incorrect because direct-sequence spread spectrum uses a stream of information that is divided into small pieces and transmitted each of which is allocated across to a frequency channel across the spectrum. Answer B is incorrect because plesiochronous digital hierarchy is a technology used in telecommunications networks to transport large quantities of data over digital transport equipment such as fiber-optic cable. Answer C is incorrect, as time division multiplexing is used in circuit switched networks such as the Public Switched Telephone Network.
4. C. Bluetooth operates at 2.45GHz. It is available in three classes: 1, 2, and 3. It divides the bandwidth into narrow channels to avoid interference with other devices that use the same frequency. Answers A, B, and D are incorrect, as they do not specify the correct frequency.
5. A. MAC addresses can be spoofed; therefore, used by itself, it is not an adequate defense. Answer B is incorrect because MAC addresses can be spoofed. Answer C is incorrect, as IP addresses, like MAC addresses, can be spoofed. Answer D is incorrect, as MAC filtering will not prevent unauthorized devices from using the wireless network. All a hacker must do is spoof a MAC address.
6. D. The SSID is still sent in packets exchanged between the client and WAP; therefore, it is vulnerable to sniffing. Tools such as Kismet can be used to discover the SSID. Answer A is incorrect, as turning off the SSID will make it harder to find wireless access points, but ad-hoc or infrastructure will not make a difference. Answer B is incorrect because the SSID has been changed, and as such, the default will no longer work. Answer C is incorrect, as running DHCP or assigning IP address will not affect the SSID issue.
7. A. Void11 is a wireless DoS tool. Answer B is incorrect because RedFang is used for Bluetooth. Answer C is incorrect, as THC-Wardrive is used to map wireless networks, and answer D is incorrect because Kismet is used to sniff wireless traffic.
8. A. Strong password authentication protocols, such as Kerberos, coupled with the use of smart card and the secure remote password protocol are good choices to increase security on wired networks. The secure remote password protocol is the core technology behind the Stanford SRP Authentication Project. Answer B is incorrect because PAP, passwords, and Cat 5 cabling are not the best choices for wired security. PAP sends passwords in clear text. Answer C is incorrect, as 802.1x and WPA are used on wireless networks. Answer D is also incorrect, as WEP, MAC filtering, and no broadcast SSID are all solutions for wireless networks.
9. D. EAP-MD5 does not provide server authentication. Answers A, B, and C are incorrect because they do provide this capability. EAP-TLS does so by public key certificate or smart card. PEAP can use a variety of types, including CHAP, MS-CHAP and public key. EAP-TTLS uses PAP, CHAP, and MS-CHAP.
10. C. WPA2 uses AES, a symmetric block cipher. Answer A is incorrect, as WPA2 does not use RC4 although WEP does use it. Answer B is incorrect, as WPA2 does not use RC5. Answer D is incorrect because MD5 is a hashing algorithm and is not used for encryption.
11. C. WEP is the original version of wireless protection. It was based on RC4 and used a 24-bit IV. Answers A, B, and D are incorrect because they do not specify the correct length.
12. A. Three popular standards are in use for WLANs, along with a new standard, 802.11n, which is due for release. Of these four types, only 802.11a operates at the 5.7255.825GHz range. Answers B and C are incorrect, as 802.11b and 802.11g operate at the 2.40002.2835GHz range. Answer D is incorrect, as 802.1x deals with authentication.
13. B. The 24-bit IV field is too small because of this, and key reusage WEP is vulnerable. Answer A is incorrect because RC4 is not flawed. Answer C is incorrect because although 40 bits is not overly strong, that is not the primary weakness in WEP. Answer D is incorrect, as tools such as WEPCrack must capture five hours of traffic or more to recover the WEP key.
14. A. WEP uses a shared key, which is a type of symmetric encryption. Answer B is incorrect, as WEP does not use asymmetric encryption. Answer C is incorrect because public key encryption is the same as asymmetric encryption. Answer D is incorrect, as SHA-1 is a hashing algorithm.
15. B. In 2004, the nature of WEP cracking changed when a hacker named KoreK released a new piece of attack code that sped up WEP key recovery by nearly two orders of magnitude. Instead of the need to collect 10 million packets to crack the WEP key, it now took less than 200,000 packets. Aircrack is one of the tools that have implemented this code. Answer A is incorrect, as Kismet is a wireless sniffer. Answer C is incorrect, as WEPCrack does not use the fast WEP cracking method. Answer D is incorrect because AirSnare is a wireless IDS.
Suggested Reading and Resources
www.totse.com/en/media/cable_and_satellite_television_hacksCable and satellite TV hacks
www.wired.com/wired/archive/12.12/phreakers.htmlAttacking cell phone security
www.tomsnetworking.com/Sections-article106.phpBluetooth sniper rifle
www.crimemachine.com/Tuts/Flash/void11.htmlVoid11 wireless deauthentication attack
www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdfWeaknesses in the Key Scheduling Algorithm of RC4
www.tscm.com/warningsigns.htmlThe warning signs of covert eavesdropping and bugging
www.tomsnetworking.com/Sections-article111.phpThe Feds Can Own Your WLAN Too
www.wi-fiplanet.com/columns/article.php/1556321The Michael vulnerability in WPA
http://manageengine.adventnet.com/products/wifi-manager/rogue-access-point-detection.htmlFinding rogue access points
IDS, Firewalls, and Honeypots
Part I: Exam Preparation
The Business Aspects of Penetration Testing
The Technical Foundations of Hacking
Footprinting and Scanning
Enumeration and System Hacking
Linux and Automated Security Assessment Tools
Trojans and Backdoors
Sniffers, Session Hijacking, and Denial of Service
Web Server Hacking, Web Applications, and Database Attacks
Wireless Technologies, Security, and Attacks
IDS, Firewalls, and Honeypots
Buffer Overflows, Viruses, and Worms
Cryptographic Attacks and Defenses
Physical Security and Social Engineering
Part II: Final Review
Part III: Appendixes
Appendix A. Using the ExamGear Special Edition Software