Wideband RF jamming
Adjacent channel interference
Deauthentication, wideband RF jamming, and EAP-Start flooding can all cause
authorizedusers not to be able to access network resources. DoS attacks typically take on two specificforms: physical and MAC layer. Physical DoS attacks are attacks against the RF medium,making it unusable for 802.11 stations. MAC layer attacks are attacks against the operation ofthe 802.11 and associated security protocols. RF jamming attacks the physical carrier sensemechanism while 802.11 deauthentication attacks 802.11 MAC layer connectivity.
XYZ Corporation has hired you to audit their WLAN network security measures. XYZ Corp currently has the following security measures in place:
All access points have non-default management interface passwords
Access points have been configured not to broadcast their SSID in Beacons or to respond to Probe Request frames with null SSID values
128-bit WEP is in use by all access point and wireless client devices
MAC filters are implemented on all access points to allow only authorized users
Wireless Intrusion Prevention System (WIPS) with rogue detection and prevention
Your task is to compromise XYZ Corp's wireless network by gaining access to sensitive data. How do you start your initial attack against the WLAN, given the above security measures?
Locate the WLAN using Netstumbler. Compromise data security by using a narrowband RF jamming deviceagainst an access point. Use a WLAN client device to gain access to the wired network through the jammedaccess point.
Locate the WLAN and obtain the SSID using Kismet. Put the SSID into a protocol analyzer, and thendecode frames looking for HTTP logins to a captive portal or an access point. Use the HTTP login to gainaccess to the wired network.
Locate the WLAN and obtain the WEP key using a spectrum analyzer. Put the WEP key into a WLAN clientdevice and access the wired network. Since the correct WEP key is being used, the WIPS will not detectyour client as a rogue device.
Locate the WLAN using a WLAN protocol analyzer. Gain access to sensitive data by attacking WEP securityusing a WEP cracking utility and putting the WEP key into the protocol analyzer.
Even though the SSID is not being announced in Beacons or Probe Response frames,
protocolanalyzers can still get the SSID because other frames include the SSID field. Protocolanalyzers see all WLAN frames, provided they are within range of a WLAN transmitter.Cracking WEP has become a simple process using tools such as Aircrack. Once WEP iscracked, you can place the WEP key into the protocol analyzer to capture data in plain text.Since data security has been compromised through passive eavesdropping, the MAC filtersand the non- default passwords on the APs are ineffective. WIPS cannot detect passiveeavesdropping devices because they do not transmit 802.11 frames. WEP cracking tools donot require 802.11frame transmission.
An intruder wants to perform a WLAN hijacking attack against a wireless laptop on its layer 2 and layer 3 connections. This will be followed by a peer attack against open file shares on the wireless laptop. What items must the intruder possess to conduct this attack?
The SSID and channel of the authorized network, a narrowband RF jamming device, access point software,and subnet information of the existing network or DHCP server software
The SSID and channel of the authorized network, a spectrum analyzer, protocol analyzer software, wirelessframe generator software, and DHCP server software
The SSID of the authorized network, Internet Connection Sharing software, a high power FHSS jammingdevice, and DHCP server software
The channel of the authorized network, a mobile microwave oven, access point software, a spectrumanalyzer, and wireless protocol analysis software
The intruder must know the SSID the wireless laptop is currently using so that he can
configurehis software AP to match. He must have a software access point configured on a differentchannel from the authorized access point so that he can use an RF jamming device to causethe wireless laptop to roam from its authorized access point. If the wireless laptop is using a static IP address, the intruder must configure his ownlaptop forthe same subnet using a different IP address. If the wireless laptop is using DHCP, the intrudermust have DHCP server software installed on his laptop computer in order to give the wirelesslaptop an IP address when it requests one.
As a new WLAN administrator for XYZ Corp, you notice that people are hanging around the coffee shop next door to your building aiming Yagi antennas toward your building. You assume that they are, at a minimum, attempting to passively eavesdrop on your network's traffic. How can you verify that these people are indeed passively eavesdropping on your wireless LAN?
By using a WLAN protocol analyzer to detect an increase of collisions on the wireless network
By using a WIPS to detect rogue devices
By using a WLAN protocol analyzer detector application
By using a network reconnaissance tool to perform continuous PING sweeps
It is not possible to detect passive eavesdropping
Since wireless eavesdroppers use radio cards in RF monitor mode, there is no way to detect
orverify that they are passively eavesdropping. In RF monitor mode (promiscuous mode), radiocards do not transmit frames of any kind, making them invisible to intrusion detection tools. Some WLANdiscovery tools probe the network using probe request frames. These tools canbe detected by their pattern of continuous probing.
Which of the following is a type of WLAN Denial of Service (DoS) attack?
Peer file theft
Active Bit flipping
Passive WEP cracking
At its most basic level, hijacking is a Denial of Service attack. This attack is performed
bycausing a client to roam to a rogue access point, which is often a software AP running on theintruder's laptop. At that point, the user has been denied service. An advanced attack is to givethe user the impression that they have not been denied service. One method is accomplishedby running a captive portal, where the user is redirected to a spoofed webpage to get them toenter private information. This is called Wi-Fi Phishing. Peer file theft is an active attack thatdoes not result in denying service. Bit-flipping isanother active attack to
impersonate anauthorized client. Cracking WEP and eavesdropping are offline attacks that results in anunauthorized user being able eavesdrop on your WEP encrypted network.
Given: As the wireless LAN administrator, it is part of your responsibility to detect and eliminate rogue access points. You have educated end users about the dangers of rogue devices and have implemented a security policy sufficient to deter employees from placing rogues on the network. You have located a rogue access point for which no employee will take responsibility for installing. You must assume that someone intentionally placed the rogue access point to attack your network. You determine that the rogue was not present on the network the previous day. By viewing the HTML management interface, you determine that the rogue has only been powered up for 15 minutes. What is your next task to deal with this situation?
Document the incident and report it to the highest level of management as a breach of security. Contact thepolice.
Disconnect the rogue access point's wired network connection, and save and analyze its log files.
Reconfigure all authorized access points to your organization's default security settings. Leave the rogue inplace as a trap for the intruder.
Document the incident. Power down the access point, and take it to the police for fingerprinting tests.
Temporarily shut down the entire wireless segment of the network pending an internal criminal investigation
Disconnecting the rogue access point's wired network connection, and saving and
analyzing itslog files should be done because you need to remove the rogue immediately from the network,but not disrupt normal company operations before you have all the facts from the log files. Thisis a measured response that should be defined in the company's security policy. It might notalways be possible to recover log files from a rogue access point because it may not have thedefault password set. Resetting the unit to manufacturer's default settings would also clear the log files. Incases like this, the only recourse is to have a WIPS in place that has monitoredactivity between the rogue and any client devices. Upper management should only be contacted if there is sufficient evidence to prosecute thisbreach of policy internally (which this is not). Police will not be interested about an internalmatter unless you can prove the rogue was placed by someone who broke a local law (liketrespassing). Documenting the incident is a good idea. Reconfiguring all authorized access points toyourorganization's default security settings and leaving the rogue in place as a trap for the intruderis incorrect because you should check your APs for tampering, but you should alsoimmediately remove the rogue. Temporarily shutting down
the entire wireless segment of the network pending an internalcriminal investigation is incorrect because it could shut-down your company's network for whatmight be a minimal intrusion. Such a response should already be set down in policy with regardto Business Impact Analysis and Business Continuity.
ABC Corporation has recently hired a skilled wireless LAN security consultant to design, configure, install, and test a wireless LAN security implementation. The security implementation consists of 802.1X/PEAP, IPSec, and SSH2 solutions using the strongest available encryption. The security policy is very strict about use of the software solutions, and all end users have been sufficiently trained. When an unauthorized user tries to access the corporate WLAN from the parking lot, he cannot circumvent the existing security solutions. What are the next two steps the unauthorized user could take in order to penetrate the system's security? (Choose two)
Perform a distributed Internet crack against a single access point
Perform a social engineering attack against help desk personnel
Perform an RF jamming attack against the WIPS
Mount an email virus campaign to unlock access points from the wired LAN segment
Place a rogue access point on ABC Corporation's network
Due to the level of security implemented, any attack against an access point will be futile.
AnRF jamming attack will not penetrate the network, but rather it will deny network access toauthorized users. Since the security methods implemented require usernames and passwords,a social engineering attack could be possible. By placing a rogue access point on the wirednetwork, the wireless network can be successfully penetrated by circumventing existingsecurity mechanisms.
As a network administrator, you understand the mentality of most war drivers and have implemented a very strong WLAN security solution. From your office window, you spot a war driver in your parking lot using a Yagi antenna and a laptop in his car. You correctly assume that the war driver is attempting to penetrate your WLAN. What should you do next?
Ignore the war driver. You have implemented a secure WLAN solution they cannotpenetrate.
Call the police and have the war driver apprehended. Press charges for violations
Monitor the WIPS alerts and inform your organization's security personnel to ask the war driver to vacate thepremises.
Implement a high-powered RF jamming device on all DSSS channels.
Approach the war driver and explain how his actions are illegal and unethical.
If a break-in does occur, you will need proof that it was indeed the wardriver who did it.
This willbe supplied by system logs and the analysis performed by the WIPS. Also, since this is asecurity related event, your security personnel should be alerted because they will best knowhow to legally and safely deal with the potential infiltrator.
A government agency has allowed its employees to telecommute from WLAN hot-spots. After implementing this policy, there occurred a sharp increase in the exposure and exploitation of sensitive government data. The WLAN administrator has been tasked with securing remote user laptop computers so that telecommuting can be continued indefinitely. What steps does the WLAN Administrator take to secure these laptop computers during use at wireless hot-spots?
Install wireless LAN client utilities with mandatory use of WPA2-Enterprise security on all laptops
Install personal firewall software and VPN end-point software on all laptops
Install WLAN protocol analyzer software which allows the admin to remotely monitor for wireless intrusionsto each laptop
Require each user to utilize a portable NAT-capable wireless router while connected to thehot- spotnetwork.
In an unsecured WLAN, attacks may come through eavesdropping on unsecured data
orthrough direct connection attacks to a laptop. VPN technology allows users to remotelyconnect to corporate network resources using authentication and encryption. Personal firewall softwareprotects laptops from direct intruder connections across thehot- spot(or otherunsecured) WLAN.
Get Unlimited Access to all ExamCollection's PREMIUM files!
Enter Your Email Address to Receive Your 30% Off Discount Code
Please enter a correct email to Get your Discount Code
Download Free Demo of VCEExam Simulator
Experience Avanset VCE Exam Simulator for yourself.
Simply submit your e-mail address below to get started with our interactive software demo of your free trial.
Goodreads helps you keep track of books you want to read.
Start by marking “CWSP Certified Wireless Security Professional Official Study Guide: Exam ">PW0-204 (CWNP Official Study Guides)” as Want to Read:
Want to Read saving…
Hi there, if you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!
Subject matter(WLAN Discovery Techniques; Intrusion and Attack Techniques; 802.11 Protocol Analysis; Wireless Intrusion Prevention Systems (WIPS) Implementation; Layer 2 and 3 VPNs used over 802.11 networks; EnterpriseSMBSOHOPublic-Network Security design models; Managed Endpoint Security Systems802.11 Authentication and Key Management Protocols; EnterpriseSMBSOHOPublic-Network Security Solution Implmentation; Building Robust Security Networks from the ground up; Fast BSS Transition (aka. FastSecure Roaming) Techniques; Thorough coverage of all 802.1XEAP types used in WLANs; Wireless LAN Management Systems (WNMS); Authentication Infrastructure Design Models; Using Secure Applications; 802.11 Design Architectures; Implementing a Thorough Wireless Security Policy).
Wireless network attacks and threat assessment (Demonstrate how to recognise, perform and prevent certain types of attacks and discuss their impact on the organisation; Understand probability of, demonstrate the methodology of and execute the preventative measures against certain attacks on wireless infrastructure devices; Explain and demonstrate the use of protocol analysers; Explain andor demonstrate security protocol circumvention against certain types of authentication andor encryption;Perform a risk assessment; Explain and demonstrate certain security vulnerabilities associated with public access or other unsecured wireless networks).
Monitoring, management and tracking(Understand how to use laptop-based protocol and spectrum analysers; Describe the use, configuration and components of an 802.11 Wireless Intrusion Prevention Systems (WIPS); Explain 802.11 WIPS base lining; Describe and understand common security features of 802.11 WIPS; Describe and demonstrate the different types of WLAN management systems and their features; Describe and implement compliance monitoring, enforcement and reporting).
Security design and architecture(Describe wireless network security models; Recognise and understand certain security concepts; Identify purpose and characteristics of 802.1X and EAP; Recognise and understand common uses of VPN’s in wireless networks; Describe, demonstrate and configure centrally-managed client side security applications; Describe and demonstrate the use of secure infrastructure management protocols; Explain the role, importance and limiting factors of VLANs and network segmentation in an 802.11 WLAN infrastructure; Describe, configure and deploy an AAA server; Explain frame exchange processes and purpose of each encryption key within an 802.11 Authentication and Key Management; Describe and configure major security features in WLAN infrastructure devices; Explain the benefits of and configure management frame protection in access points and WLAN controllers; Explain the purpose, methodology, features and configuration of guest access networks).
Security policy(Explain the purpose and goals of certain WLAN security policies; Describe appropriate installation locations for and remote connectivity to WLAN devices to avoid physical theft, tampering and data theft; Explain the importance and implementation of client side security applications and ongoing WLAN monitoring and documentation; Summarise security policy criteria related to wireless public access network use; Explain importance and implementation of scalable and secure WLAN solution that includes certain security parameters).
Fast secure roaming(Describe and implement 802.11 Authentication and Key Management (AKM); Describe and implement Opportunistic Key Caching (OKC); Describe and implement 802.11 r AKM and compare & contrast 802.11r enhancements with 802.11 AKMand OKC; Describe applications of Fast BSS transition; Describe and implement non-traditional roaming mechanisms; Describe how 802.11k Radio Resource Measurement factors into fast BSS transition; Describe importance, application and functionality of Wi-Fi Voice Personal product certification).
29 Feb – 04 Mar | Abuja, Nigeria
18 – 22 Apr | Accra, Ghana
21 – 25 Mar | Kuala Lumpur, Malaysia
11 – 15 Apr | Hong Kong City, Hong Kong
25 – 29 Apr | Bangkok, Thailand
18- 22 Jan | Melbourne, Australia
25 – 29 Jan | Wellington, New Zealand
21 – 25 Mar | Auckland, New Zealand
18 – 22 Apr | Sydney, Australia
17 – 21 Jan | Muscat, Oman
24 – 28 Jan | Manama, Bahrain
11 – 15 Apr | Stockholm, Sweden
11 – 15 Apr | Moscow, Russia
CWSP Examination weight per section(Wireless network attacks and threat assessment 10%; Monitoring and Management 25%; Security design and architecture 50%; Security policy 5%; Fast secure roaming 10%).
Exam mode (can be taken online at Pearson VUE)
Exam details(To earn the CWSP qualification, you must hold a current and valid CWNA credential and pass the CWSP ">PW0-204 exam. The CWSP is valid for 3 years. Exam lasts 90 mins; consists of multiple choicemultiple answer; pass score is 70% (80% for instructors); 60 questions in total in this exam ).
Exam fees(The exam fees are included in the registration fees here. At the time of publication, these are USD340 per candidate. If and when the exam fees are increased by the exam provider, these additional charges will need to be borne by the candidate prior to taking the exam.)
Certification by : CWNP (Certified Wireless Network Professional)
CWNP (Certified Wireless Network Professional) is the IT industry standard for vendor neutral enterprise W-Fi certification and training.
The CWSP is a professional level wireless LAN certification suitable for all wireless network professionals including the following (IT security professionals, Network architects, System and Network Administrators and Systems and Network Engineers, Systems and Network Analysts, Final-line Technical Support staff, Technical Consultants Network Architects and experienced networking professionals wanting the critical skills needed to secure wireless networks).
1. The CWNA is required for your CWSP, CWAP, CWDP and CWNE certifications.
2. This course is brought to you in partnership with Marquest Limited and Signalutions BV.
You will learn
Main subject areas covered (Wireless Network Attacks and Threat Assessment; Monitoring and Management; Security Design and Architecture; Security Policy; Fast Secure Roaming).
CWNP Provided each Wireless Tech Field Day delegate with a FREE hardcopy of their choice of either the CWAP or CWDP study guide!
I wanted to take a moment and thank both Marcus and Kevin for their continued contribution to the wireless community. It was a pleasure to meet Marcus in person. What a talented young guy with a passion and fire for WiFi.
I also wanted to show some love to Kevin Sandlin. A lot of folks may not realize the driving force and focus behind CWNP. Kevin is the guy behind the curtain keeping the CWNP momentum alive and well. Kevin, thank you!
I also want to show love to their entire CWNP crew and authors of the recent CWDP and CWAP study guides!!