



















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam certifies expertise in wireless network security. Topics include Wi-Fi protocols, authentication mechanisms, encryption attacks, rogue access points, and wireless penetration testing methodologies. Candidates demonstrate the ability to assess and secure wireless environments.
Typology: Exams
1 / 91
This page cannot be seen from the preview
Don't miss anything!




















































































Question 1. Which IEEE 802.11 amendment operates exclusively in the 5 GHz band and introduced MIMO technology? A) 802.11a B) 802.11b C) 802.11g D) 802.11n Answer: D Explanation: 802.11n added MIMO and can use both 2.4 GHz and 5 GHz, but it was the first amendment to support MIMO across both bands, making it the correct choice. Question 2. In the OSI model, which layer is responsible for framing, addressing, and error detection in Wi‑Fi? A) Physical layer B) Data Link layer C) Network layer D) Transport layer Answer: B Explanation: The Data Link layer (Layer 2) handles MAC framing, addressing, and error detection, which are core functions of the 802.11 MAC sublayer. Question 3. What is the primary difference between Infrastructure mode and Ad‑Hoc mode? A) Infrastructure uses a central AP; Ad‑Hoc allows direct peer‑to‑peer communication. B) Infrastructure operates only on 5 GHz; Ad‑Hoc only on 2.4 GHz. C) Infrastructure encrypts traffic; Ad‑Hoc does not. D) Infrastructure requires WPS; Ad‑Hoc does not. Answer: A
Explanation: Infrastructure mode relies on an Access Point (AP) to coordinate traffic, while Ad‑Hoc (or IBSS) lets stations communicate directly without an AP. Question 4. Which antenna type provides the highest gain in a specific direction? A) Omnidirectional B) Dipole C) Yagi D) Patch Answer: C Explanation: Yagi antennas focus energy in a narrow beam, yielding higher directional gain compared to omnidirectional or dipole antennas. Question 5. When configuring a wireless interface for packet injection, which mode must be set? A) Managed mode B) Monitor mode C) Master mode D) Repeater mode Answer: B Explanation: Monitor mode allows the interface to capture all frames and, on compatible chipsets, inject crafted packets. Question 6. Which frame type is used by an AP to announce its presence and network parameters? A) Probe Request B) Authentication C) Beacon D) Deauthentication
C) ARP Request Replay D) PTW attack Answer: C Explanation: ARP Request Replay forces the AP to generate many encrypted ARP responses, each with a new IV, speeding up cracking. Question 10. In a clientless WEP attack, the attacker injects forged fragments to obtain keystream. Which known attack uses this technique? A) KoreK Chopchop B) PTW attack C) Aircrack replay D) WPS PIN attack Answer: A Explanation: The KoreK Chopchop attack manipulates fragmented packets to recover keystream without any associated client. Question 11. When a network uses Shared Key Authentication (SKA), which packet can be captured to mount a fake authentication? A) Association Request B) Challenge Text C) Deauthentication D) Reassociation Response Answer: B Explanation: The Challenge Text is encrypted with the WEP key; capturing it enables an attacker to replay or forge authentication frames.
Question 12. The 4‑Way Handshake in WPA/WPA2 is primarily used to derive which secret? A) Group Temporal Key (GTK) B) Pairwise Master Key (PMK) C) Pairwise Transient Key (PTK) D) Pre‑Shared Key (PSK) Answer: C Explanation: The handshake combines the PMK, nonces, and MAC addresses to generate the PTK, which encrypts unicast traffic. Question 13. Which tool can convert a captured WPA handshake (.cap) into a hashcat‑compatible .hccapx file? A) aircrack-ng B. Answer: hashcat Explanation: hashcat includes the utility cap2hccapx (or hcxpcaptool) to convert .cap files into .hccapx format for GPU‑accelerated cracking. Question 14. Which attack targets the WPS PIN by exploiting the fact that the PIN is split into two halves? A) Pixie‑Dust B) Reaver offline attack C) Bully's sequential PIN attack D) WPS PIN brute‑force Answer: D Explanation: WPS PIN verification is performed in two stages, allowing an attacker to brute‑force each half separately, drastically reducing the keyspace.
Explanation: Dragonblood exploits side‑channel and downgrade flaws in the SAE handshake, weakening WPA3’s security. Question 18. When setting up an Evil Twin AP, which configuration file defines the SSID and channel for hostapd? A) wpa_supplicant.conf B) hostapd.conf C) dhcpd.conf D) resolv.conf Answer: B Explanation: hostapd.conf contains parameters such as ssid= and channel= that define the rogue AP’s identity. Question 19. In a captive‑portal attack, which service is typically used to resolve all DNS queries to the attacker’s web server? A) dnsmasq B) ntpd C) syslogd D) vsftpd Answer: A Explanation: dnsmasq can act as a lightweight DNS forwarder and redirect all domain requests to a local HTTP server hosting the phishing page. Question 20. Bettercap’s “http.proxy” module is primarily used for which purpose? A) Injecting arbitrary Wi‑Fi frames B) Performing DNS spoofing only
C) Intercepting and modifying HTTP traffic in transit D) Cracking WPA handshakes Answer: C Explanation: The http.proxy module acts as a transparent proxy, allowing the attacker to view and alter HTTP requests/responses. Question 21. Which 802.1X EAP method encapsulates TLS within the authentication exchange? A) EAP‑MD B) EAP‑TLS C) EAP‑SIM D) EAP‑TTLS Answer: B Explanation: EAP‑TLS uses a full TLS tunnel for mutual authentication, providing strong security for WPA‑Enterprise networks. Question 22. The tool hostapd‑wpe is used to perform which type of attack? A) Deauthentication flooding B) Rogue AP with fake RADIUS for credential harvesting C) WEP IV replay D) WPA3 SAE downgrade Answer: B Explanation: hostapd‑wpe emulates an enterprise AP and captures clear‑text credentials when users attempt PEAP/EAP‑TTLS authentication. Question 23. In a wireless mesh network, which protocol is commonly used for routing? A) OSPF
A) Frame is destined for the distribution system (AP) B) Frame is from the distribution system to a client C) Frame is a management beacon D) Frame is encrypted with WPA Answer: A Explanation: Setting “To DS” means the frame is being sent from a station to the distribution system (i.e., the AP). Question 27. Which of the following is NOT a valid 802.11 channel width? A) 20 MHz B) 40 MHz C) 80 MHz D) 120 MHz Answer: D Explanation: Standard channel widths are 20, 40, 80, and 160 MHz; 120 MHz is not defined. Question 28. The “RTS/CTS” exchange is primarily used to mitigate which problem? A) Authentication spoofing B) Hidden node collisions C) Encryption key reuse D) Beacon flooding Answer: B Explanation: RTS/CTS reserves the medium before data transmission, reducing collisions caused by hidden nodes.
Question 29. Which Wi‑Fi security protocol first introduced the concept of a “Group Temporal Key”? A) WEP B) WPA‑Personal C) WPA2‑Enterprise D) WPA3‑SAE Answer: B Explanation: WPA introduced the GTK to encrypt broadcast/multicast traffic, a concept later retained in WPA2. Question 30. When using airodump‑ng, which column shows the number of data frames captured from a client? A) PWR B) BSSID C) #Data D) ENC Answer: C Explanation: The “#Data” column counts the data frames observed for each client. Question 31. In a captured WPA handshake, which message contains the ANonce (AP nonce)? A) Message 1 (EAPOL‑Message 1) B) Message 2 (EAPOL‑Message 2) C) Message 3 (EAPOL‑Message 3) D) Message 4 (EAPOL‑Message 4) Answer: A Explanation: The first EAPOL message from the AP carries the ANonce used in PTK derivation.
D) Pre‑Shared Encryption Authentication Process Answer: A Explanation: PEAP stands for Protected Extensible Authentication Protocol, which tunnels EAP inside TLS. Question 35. Which of the following is a typical symptom of a “Beacon Flood” attack? A) Clients disconnect randomly B) Excessive channel noise causing high CPU usage on APs C) Overcrowded SSID list on client devices D) Immediate WPA2 key rotation Answer: C Explanation: Beacon flood injects many fake AP beacons, cluttering the visible SSID list on client devices. Question 36. The term “WDS” in wireless networking refers to: A) Wireless Distribution System, a method to interconnect APs wirelessly B) Wi‑Fi Direct Service, a peer‑to‑peer protocol C) Wide‑band Data Stream, a high‑speed PHY D) Wireless Defense Suite, a set of security tools Answer: A Explanation: WDS enables APs to forward traffic between each other without a wired backbone. Question 37. Which Wi‑Fi standard first introduced 802.11ac’s MU‑MIMO capability? A) 802.11a B) 802.11n C) 802.11ac
D) 802.11ax Answer: C Explanation: 802.11ac added multi‑user MIMO for downlink transmissions. Question 38. In the context of Wi‑Fi, what does “HT” stand for? A) High Throughput B) Hybrid Transmission C) Host Terminal D) Hidden Token Answer: A Explanation: HT denotes the High Throughput extensions introduced with 802.11n. Question 39. Which of the following is a reason why WEP is considered insecure? A) Uses AES‑CCMP encryption B) Relies on a static 40‑bit key and short IVs leading to keystream reuse C) Requires a radius server for authentication D) Supports only 802.11ac devices Answer: B Explanation: WEP’s static key and 24‑bit IV cause frequent keystream collisions, making it trivially breakable. Question 40. Which tool can be used to perform a “PMKID” attack against WPA2 networks without a full 4‑Way Handshake? A) airodump‑ng B) hcxdumptool
B) Increase security against WPA2 cracking C) Reduce beacon traffic on the channel D) Hide the network from basic scans Answer: B Explanation: Hidden SSIDs provide only obscurity; they do not improve cryptographic security and can actually aid attackers by revealing the SSID in probe responses. Question 44. Which command sets a wireless interface to monitor mode using iwconfig? A) iwconfig wlan0 mode monitor B) ifconfig wlan0 up C) iw dev wlan0 set type monitor D) airmon-ng start wlan Answer: C Explanation: iw dev wlan0 set type monitor changes the interface type to monitor mode; airmon-ng is a wrapper but the direct command is C. Question 45. The “Beacon Interval” field in a beacon frame defines: A) The time between consecutive beacons sent by the AP B) The duration of the authentication process C) The maximum transmission power of the AP D) The length of the SSID string Answer: A Explanation: Beacon Interval (in TU) specifies how often the AP broadcasts beacon frames. Question 46. Which of the following attacks specifically targets the Group Temporal Key (GTK) in WPA/WPA2?
A) KRACK (Key Reinstallation Attack) B) PTW attack C) Chopchop attack D) ARP replay attack Answer: A Explanation: KRACK exploits the re‑installation of the GTK during the 4‑Way Handshake, allowing decryption of broadcast traffic. Question 47. In WPA3‑SAE, the “password element” is transmitted using which cryptographic primitive? A) RSA encryption B) Diffie‑Hellman key exchange with a finite‑field group C) ECC (Elliptic Curve) key exchange D) Plaintext transmission Answer: B Explanation: SAE uses a finite‑field Diffie‑Hellman exchange where the password is mapped to a scalar, providing resistance to offline dictionary attacks. Question 48. Which of the following best describes a “mesh point” in an 802.11s network? A) A device that only acts as a client B) An AP that also forwards traffic for other nodes C) A wired bridge between two wireless segments D) A device that disables beacon frames Answer: B Explanation: A mesh point (MP) functions as both a client and a forwarding node, enabling multi‑hop wireless connectivity.
Answer: A Explanation: Assigning a static IP prevents the rogue AP from conflicting with the legitimate DHCP server and ensures stable connectivity for captured traffic. Question 52. In the context of wireless packet injection, what does “TX power” refer to? A) The encryption strength of transmitted frames B) The transmit antenna gain measured in dBi C) The output power of the radio, expressed in dBm D) The number of transmitted management frames per second Answer: C Explanation: TX power (dBm) indicates the radio’s output power level, influencing range and signal strength. Question 53. Which command in Bettercap initiates a DNS spoofing attack against a specific domain? A) set dns.spoof true B) dns.spoof on example.com 10.0.0. C) arp.spoof on D) http.proxy on Answer: B Explanation: The dns.spoof module in Bettercap can be configured with a target domain and malicious IP address. Question 54. Which of the following is NOT a valid 802.11 security suite identifier? A) CCMP B) TKIP
Answer: C Explanation: WEP‑128 is not a recognized suite; CCMP, TKIP, and GCMP‑256 are valid. Question 55. The “Fragment Number” field in the MAC header is used for: A) Identifying the order of fragmented frames belonging to the same MSDU B) Indicating the channel number C) Specifying the encryption type D) Determining the transmission power level Answer: A Explanation: Fragment Number tracks the sequence of fragments that together reassemble the original payload. Question 56. Which of the following tools can generate a rogue WPA2‑Enterprise RADIUS server for credential harvesting? A) hostapd-wpe B) aircrack-ng C) reaver D) hcxdumptool Answer: A Explanation: hostapd-wpe emulates an AP with a fake RADIUS backend, capturing usernames and passwords. Question 57. In a captured WEP packet, the “IV” field is 24 bits long. How many possible IV values exist?