









































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Prepare for wireless penetration testing concepts including Wi-Fi attacks, wireless encryption, rogue access points, packet analysis, and wireless security assessment.
Typology: Exams
1 / 49
This page cannot be seen from the preview
Don't miss anything!










































Question 1. Which IEEE 802.11 amendment operates exclusively in the 5 GHz band and introduces MU-MIMO? A) 802.11a B) 802.11n C) 802.11ac D) 802.11g Answer: C Explanation: 802.11ac works only in 5 GHz, adds wider channels, higher order modulation, and multi-user MIMO. Question 2. In the OSI model, which layer is primarily responsible for framing, ACK/NAK, and retransmission in Wi-Fi? A) Physical B) Data Link – MAC C) Network D) Transport Answer: B Explanation: The MAC sublayer of the Data Link layer handles frame construction, acknowledgments, and retransmission logic for 802.11. Question 3. An “infrastructure” wireless network differs from an “ad-hoc” network because: A) It uses a mesh of peer routers. B) Clients communicate directly without an AP. C) All traffic must pass through a central Access Point. D) It cannot support WPA2. Answer: C Explanation: Infrastructure mode requires an AP that all stations associate with; ad-hoc (peer-to-peer) has no AP.
Question 4. Which antenna type provides the highest gain in a specific direction while sacrificing coverage elsewhere? A) Omnidirectional B) Dipole C) Yagi D) Patch Answer: C Explanation: Yagi antennas focus energy in a narrow beam, giving high directional gain (measured in dBi). Question 5. When configuring a wireless NIC for packet injection, which mode must be enabled? A) Managed B) Monitor with injection flag C) Master D) Repeater Answer: B Explanation: Monitor mode allows passive listening; to inject packets the driver must also support injection (often set with “--enable-injection”). Question 6. Which frame type is used by an AP to announce its SSID, supported rates, and capabilities? A) Probe Request B) Authentication C) Beacon D) RTS Answer: C Explanation: Beacon frames are management frames broadcast periodically by APs containing network description information.
Question 10. Which attack accelerates WEP IV collection by forcing a client to repeatedly request the same ARP entry? A) Deauthentication attack B) ARP request replay attack C) Fragmentation attack D) Chopchop attack Answer: B Explanation: The ARP replay attack injects captured ARP requests, causing the AP to generate many encrypted packets with new IVs. Question 11. The “Korek ChopChop” attack allows an attacker to: A) Capture a full WEP keystream without any client. B) Decrypt WPA2 traffic by replaying EAPOL frames. C) Crack WPA3 passwords using a dictionary. D) Bypass MAC filtering on an AP. Answer: A Explanation: ChopChop works on a single WEP packet, iteratively guessing the last byte and re-encrypting to obtain keystream data without a client. Question 12. In a “shared key authentication” (SKA) exchange, the attacker can impersonate a client by capturing which element? A) The SSID broadcast. B) The Challenge Text. C) The Beacon frame. D) The Deauthentication frame. Answer: B Explanation: SKA sends a challenge encrypted with the shared key; capturing it enables replay or offline cracking. Question 13. Which of the following is NOT a valid method to obtain a WPA/WPA2 passphrase offline?
A) Dictionary attack on the captured PMKID. B) Brute-force attack on the AP’s MAC address. C) Dictionary attack on the 4-way handshake. D) Using pre-computed PMK tables (coWPAtty). Answer: B Explanation: The AP’s MAC address is not related to the PSK; offline attacks target the PMK derived from the passphrase. Question 14. Which command generates a rainbow table for WPA/WPA2 using coWPAtty? A) cowpatty -i wlan0 -r wordlist.txt -s hash.txt B) cowpatty -i wlan0 -w wordlist.txt -s hash.txt C) cowpatty -r wordlist.txt -s hash.txt -p 8 D) cowpatty -i wlan0 -r wordlist.txt -p 8 Answer: C Explanation: coWPAtty uses “-r” for the wordlist, “-s” for the captured hash, and “- p” to set the password length range. Question 15. The purpose of airolib-ng in WPA cracking is to: A) Capture handshakes faster. B) Store pre-computed PMKs for rapid lookup. C) Perform deauthentication attacks. D) Generate fake APs. Answer: B Explanation: airolib-ng builds a database of PMKs derived from wordlists, allowing rapid matching against captured handshakes. Question 16. Which of the following WPS attacks relies on the “Pixie Dust” vulnerability? A) Offline PIN brute-force.
Explanation: By broadcasting the same SSID with higher RSSI, clients may automatically connect to the attacker’s AP. Question 20. Which of the following tools can be used to create a captive portal for credential harvesting? A) aircrack-ng B) hostapd-wpe C) mdk D) reaver Answer: B Explanation: hostapd-wpe is a patched version of hostapd that presents a web login page after WPA Enterprise authentication, enabling phishing. Question 21. When using Bettercap to perform DNS spoofing, which module must be enabled? A) net.recon B) dns.spoof C) http.proxy D) wifi.proxy Answer: B Explanation: The dns.spoof module intercepts DNS queries and returns attacker-controlled responses. Question 22. In 802.1X authentication, which protocol is commonly used for inner authentication after the TLS tunnel is established? A) EAP-MD B) EAP-PEAP C) EAP-SIM D) EAP-TLS Answer: B
Explanation: PEAP (Protected EAP) creates a TLS tunnel and then performs inner authentication (often MS-CHAPv2). Question 23. Which attack vector targets WPA-Enterprise networks by downgrading TLS to a weaker version? A) Evil twin with open authentication. B) Hostapd-wpe with fake RADIUS server. C) Deauthentication of all clients. D) PMKID extraction from the AP. Answer: B Explanation: hostapd-wpe can be configured to present a fake RADIUS server that forces the client to use a weaker authentication method. Question 24. The “RTS/CTS” mechanism in 802.11 is primarily used to: A) Authenticate new clients. B) Prevent hidden node collisions. C) Encrypt data frames. D) Assign IP addresses. Answer: B Explanation: RTS/CTS is a handshake that reserves the medium, mitigating collisions caused by hidden stations. Question 25. Which 802.11 frame subtype is sent by a client to request reassociation with a different AP? A) Reassociation Request B) Disassociation Request C) Probe Request D) Authentication Request Answer: A Explanation: Reassociation Request is used when a client roams and wants to move its connection to another AP.
A) aireplay-ng –0 (deauth) B) aireplay-ng –3 (fragmentation) C) aireplay-ng –2 (ARP request replay) D) aireplay-ng –9 (test injection) Answer: C Explanation: “- 2 ” initiates ARP request replay, causing the AP to generate many encrypted packets. Question 30. The “hidden SSID” technique hides the network name by: A) Not broadcasting any Beacon frames. B) Setting the SSID field to zero length in Beacons. C) Encrypting the SSID with a secret key. D) Using a random MAC address for the AP. Answer: B Explanation: Hidden SSIDs transmit Beacons with an empty SSID field; clients still send Probe Requests that reveal the name. Question 31. Which Wi-Fi channel width is introduced with 802.11ac to achieve up to 1.3 Gbps? A) 20 MHz B) 40 MHz C) 80 MHz D) 160 MHz Answer: C Explanation: 802.11ac supports 80 MHz channels (and optional 160 MHz) to increase throughput. Question 32. In WPA2-PSK, the Pairwise Master Key (PMK) is derived from: A) The AP’s MAC address. B) The user’s password and SSID via PBKDF2.
C) The client’s random nonce. D) The EAPOL handshake. Answer: B Explanation: PMK = PBKDF2(PSK, SSID, 4096 iterations, 256-bit), using the passphrase and SSID as salt. Question 33. Which of the following is a legal method to test the security of a wireless network you own? A) Capturing handshakes from neighboring networks. B) Using deauthentication attacks on your own clients. C) Injecting packets into a public hotspot. D) Performing a rogue AP attack on a corporate network. Answer: B Explanation: Deauth attacks on networks you control are permissible for testing; attacking others is illegal. Question 34. The term “PMKID” refers to: A) The identifier of the PMK stored in the AP’s configuration file. B) A hash derived from the PMK and MAC addresses, transmitted in the first EAPOL frame of a RSN. C) The IV used in WEP encryption. D) The public key of the RADIUS server. Answer: B Explanation: PMKID = HMAC-SHA1(PMK, "PMK Name" || AA || SPA) and can be captured without a full 4-way handshake. Question 35. Which tool can extract PMKID from a captured pcap and attempt offline cracking? A) aircrack-ng B) hashcat C) pyrit
Explanation: Channels 4, 7, 10 overlap with each other and are not a non-overlapping set; 1- 6 - 11 is the standard plan. Question 39. A “mesh” wireless network differs from a traditional AP-client network because: A) All nodes act as both routers and clients, forwarding traffic. B) It uses only the 5 GHz band. C) It does not support WPA2. D) It requires a wired backbone for inter-node communication. Answer: A Explanation: Mesh networks allow each node to relay traffic, creating a self-healing topology. Question 40. Which command enables monitor mode on a wireless interface using iw? A) iw dev wlan0 set type monitor B) iwconfig wlan0 mode monitor C) ifconfig wlan0 up mon D) airmon-ng start wlan Answer: A Explanation: “iw dev set type monitor” switches the interface to monitor mode; the other commands are legacy or wrapper utilities. Question 41. The “RTS Threshold” parameter determines: A) The maximum size of a data frame before RTS/CTS is used. B) The minimum signal strength required for association. C) The timeout for authentication. D) The number of retries for ACK. Answer: A Explanation: If a frame exceeds the RTS threshold, the NIC sends an RTS before transmitting to avoid collisions.
Question 42. Which of the following is a characteristic of 802.11ax (Wi-Fi 6)? A) Only supports 2.4 GHz. B) Introduces OFDMA and uplink MU-MIMO. C) Uses WEP as the default encryption. D) Removes support for legacy devices. Answer: B Explanation: 802.11ax adds Orthogonal Frequency Division Multiple Access (OFDMA) and uplink MU-MIMO for higher efficiency. Question 43. In a wireless capture, the presence of “EAPOL” frames without a following 4-way handshake indicates: A) The network uses WPA3 only. B) The client attempted authentication but failed. C) The AP is using WEP. D) The capture is corrupted. Answer: B Explanation: EAPOL messages are part of the 4-way handshake; if they stop early, the client likely failed authentication. Question 44. Which of the following best describes a “Beacon Flood” attack? A) Sending thousands of deauthentication frames. B) Broadcasting a large number of fake Beacon frames to clutter the channel. C) Overloading the AP with ARP requests. D) Injecting malformed data frames to crash the AP. Answer: B Explanation: Beacon Flood creates many bogus networks, causing client confusion and possible denial of service. Question 45. The “airbase-ng” tool is used to:
B) 5000 packets with the same IV. C) 100,000 IVs (or more) depending on key length. D) A single full-handshake. Answer: C Explanation: WEP cracking typically needs 100k-200k unique IVs to recover the key with high probability. Question 49. Which of the following is the correct order of the 802.11 4-way handshake messages? A) Message 1 – Message 2 – Message 3 – Message 4 B) Message 1 – Message 3 – Message 2 – Message 4 C) Message 2 – Message 1 – Message 4 – Message 3 D) Message 4 – Message 3 – Message 2 – Message 1 Answer: A Explanation: The handshake follows a strict sequential order: 1 (AP→Client), 2 (Client→AP), 3 (AP→Client), 4 (Client→AP). Question 50. Which Wi-Fi security protocol is immune to the “KRACK” replay attack? A) WPA2-PSK B) WPA2-Enterprise C) WPA3-SAE D) WEP Answer: C Explanation: WPA3’s SAE design eliminates the vulnerable key-installation step exploited by KRACK. Question 51. The “airdecap-ng” tool is primarily used to: A) Decrypt captured WPA/WPA2 traffic using a known PSK. B) Capture handshakes from a live network.
C) Perform deauthentication attacks. D) Generate a list of MAC addresses. Answer: A Explanation: airdecap-ng takes a capture file and a PSK to decrypt the data frames for analysis. Question 52. Which of the following statements about “WPA2-PSK” and “WPA2-Enterprise” is true? A) Both use the same 4-way handshake but differ in key derivation. B) PSK uses a pre-shared secret, while Enterprise uses dynamic session keys from a RADIUS server. C) Enterprise cannot be used on 5 GHz networks. D) PSK provides forward secrecy, Enterprise does not. Answer: B Explanation: WPA2-PSK relies on a shared passphrase; WPA2-Enterprise uses 802.1X with a RADIUS server to issue per-session keys. Question 53. In wireless terminology, “SSID cloaking” is achieved by: A) Disabling beacon transmission entirely. B) Setting the SSID to a random string each minute. C) Using a zero-length SSID field in beacons. D) Encrypting the SSID with AES. Answer: C Explanation: Cloaking hides the SSID in beacons by sending a null (zero-length) SSID, though clients can still discover it via probes. Question 54. Which of the following is a legitimate use of the “aireplay-ng –9” test? A) Verify that the wireless card can inject packets. B) Capture a WPA handshake. C) Deauthenticate all clients.
Answer: C Explanation: Channels 52-64 (and 100-144) are DFS channels that require radar detection before use. Question 58. The “aircrack-ng” suite’s “airodump-ng – c” option is used to: A) Capture only control frames. B) Limit capture to a specific channel. C) Output captured handshakes to a CSV file. D) Perform a channel hop every 5 seconds. Answer: B Explanation: “-c ” tells airodump-ng to listen on a single channel instead of hopping. Question 59. In the context of WPA3, the “SAE” handshake replaces the PSK with a: A) Hash of the SSID. B) Password-authenticated key exchange (PAKE). C) Public-key certificate. D) One-time token sent via SMS. Answer: B Explanation: SAE is a PAKE protocol that derives a shared secret from a password without transmitting it. Question 60. Which of the following best describes the “Wi-Fi Protected Setup (WPS) PIN” attack using Reaver? A) Brute-forcing the 8-digit PIN sequentially, exploiting the lockout after 8 attempts. B) Exploiting a design flaw that reduces the PIN space to 10⁴ possibilities. C) Using a side-channel timing attack on the AP’s RNG. D) Capturing the PIN from the AP’s broadcast packets. Answer: B
Explanation: Reaver leverages the fact that the 8-digit PIN is split into two halves (first 4 digits and last 4), each of which can be brute-forced independently, reducing the total attempts to ~10⁴. Question 61. Which Wi-Fi frame subtype is used to acknowledge receipt of a data frame? A) ACK (Control) B) CTS (Control) C) RTS (Control) D) Block Ack (Control) Answer: A Explanation: ACK frames are control frames sent by the receiver to confirm successful reception of a data frame. Question 62. The “aircrack-ng” attack mode “–a2” specifies which algorithm? A) WEP B) WPA/WPA2-PSK C) WPA-Enterprise D) WPA3-SAE Answer: B Explanation: “-a2” tells aircrack-ng to use the WPA/WPA2-PSK cracking algorithm. Question 63. Which of the following is a primary benefit of using “OFDMA” in 802.11ax? A) Larger modulation constellations. B) Simultaneous transmission to multiple users on different sub-carriers. C) Higher transmit power. D) Elimination of the need for handshakes. Answer: B Explanation: OFDMA divides the channel into sub-carriers that can be allocated to different users, improving efficiency.