CWSP-206 Online Practice Questions and Answers

What WLAN client device behavior is exploited by an attacker during a hijacking attack?

A. After the initial association and 4-way handshake, client stations and access points do not need to perform another 4-way handshake, even if connectivity is lost.

B. Client drivers scan for and connect to access point in the 2.4 GHz band before scanning the 5 GHz band.

C. When the RF signal between a client and an access point is disrupted for more than a few seconds, the client device will attempt to associate to an access point with better signal quality.

D. When the RF signal between a client and an access point is lost, the client will not seek to reassociate with another access point until the 120 second hold down timer has expired.

E. As specified by the Wi-Fi Alliance, clients using Open System authentication must allow direct client-toclient connections, even in an infrastructure BSS.

In XYZ's small business, two autonomous 802.11ac APs and 12 client devices are in use with WPA2Personal. What statement about the WLAN security of this company is true?

A. Intruders may obtain the passphrase with an offline dictionary attack and gain network access, but will be unable to decrypt the data traffic of other users.

B. Because WPA2-Personal uses Open System authentication followed by a 4-Way Handshake, hijacking attacks are easily performed.

C. A successful attack against all unicast traffic on the network would require a weak passphrase dictionary attack and the capture of the latest 4-Way Handshake for each client.

D. An unauthorized wireless client device cannot associate, but can eavesdrop on some data because WPA2-Personal does not encrypt multicast or broadcast traffic.

E. An unauthorized WLAN user with a protocol analyzer can decode data frames of authorized users if he captures the BSSID, client MAC address, and a user's 4-Way Handshake.

ABC Corporation is evaluating the security solution for their existing WLAN. Two of their supported solutions include a PPTP VPN and 802.1X/LEAP. They have used PPTP VPNs because of their wide support in server and desktop operating systems. While both PPTP and LEAP adhere to the minimum requirements of the corporate security policy, some individuals have raised concerns about MS-CHAPv2 (and similar) authentication and the known fact that MS-CHAPv2 has proven vulnerable in improper implementations. As a consultant, what do you tell ABC Corporation about implementing MS-CHAPv2 authentication?

A. MS-CHAPv2 is only appropriate for WLAN security when used inside a TLS-encrypted tunnel.

B. When implemented with AES-CCMP encryption, MS-CHAPv2 is very secure.

C. MS-CHAPv2 uses AES authentication, and is therefore secure.

D. MS-CHAPv2 is compliant with WPA-Personal, but not WPA2-Enterprise.

E. LEAP's use of MS-CHAPv2 is only secure when combined with WEP.

In a security penetration exercise, a WLAN consultant obtains the WEP key of XYZ Corporation's wireless network. Demonstrating the vulnerabilities of using WEP, the consultant uses a laptop running a software AP in an attempt to hijack the authorized user's connections. XYZ's legacy network is using 802.11n APs with 802.11b, 11g, and 11n client devices. With this setup, how can the consultant cause all of the authorized clients to establish Layer 2 connectivity with the software access point?

A. When the RF signal between the clients and the authorized AP is temporarily disrupted and the consultant's software AP is using the same SSID on a different channel than the authorized AP, the clients will reassociate to the software AP.

B. If the consultant's software AP broadcasts Beacon frames that advertise 802.11g data rates that are faster rates than XYZ's current 802.11b data rates, all WLAN clients will reassociate to the faster AP.

C. A higher SSID priority value configured in the Beacon frames of the consultant's software AP will take priority over the SSID in the authorized AP, causing the clients to reassociate.

D. All WLAN clients will reassociate to the consultant's software AP if the consultant's software AP provides the same SSID on any channel with a 10 dB SNR improvement over the authorized AP.

What policy would help mitigate the impact of peer-to-peer attacks against wireless-enabled corporate laptop computers when the laptops are also used on public access networks such as wireless hotspots?

A. Require Port Address Translation (PAT) on each laptop.

B. Require secure applications such as POP, HTTP, and SSH.

C. Require VPN software for connectivity to the corporate network.

D. Require WPA2-Enterprise as the minimal WLAN security solution.

ABC Company is implementing a secure 802.11 WLAN at their headquarters (HQ) building in New York and at each of the 10 small, remote branch offices around the United States. 802.1X/EAP is ABC's preferred security solution, where possible. All access points (at the HQ building and all branch offices) connect to a single WLAN controller located at HQ. Each branch office has only a single AP and minimal IT resources. What security best practices should be followed in this deployment scenario?

A. Remote management of the WLAN controller via Telnet, SSH, HTTP, and HTTPS should be prohibited across the WAN link.

B. RADIUS services should be provided at branch offices so that authentication server and suppliant credentials are not sent over the Internet.

C. An encrypted VPN should connect the WLAN controller and each remote controller-based AP, or each remote site should provide an encrypted VPN tunnel to HQ.

D. APs at HQ and at each branch office should not broadcast the same SSID; instead each branch should have a unique ID for user accounting purposes.

While seeking the source of interference on channel 11 in your 802.11n WLAN running within 2.4 GHz, you notice a signal in the spectrum analyzer real time FFT display. The signal is characterized with the greatest strength utilizing only 1-2 megahertz of bandwidth and it does not use significantly more bandwidth until it has weakened by roughly 20 dB. At approximately -70 dB, it spreads across as much as 35 megahertz of bandwidth. What kind of signal is described?

A. A high-power ultra wideband (UWB) Bluetooth transmission.

B. A 2.4 GHz WLAN transmission using transmit beam forming.

C. A high-power, narrowband signal.

D. A deauthentication flood from a WIPS blocking an AP.

E. An HT-OFDM access point.

F. A frequency hopping wireless device in discovery mode.

For which one of the following purposes would a WIPS not be a good solution?

A. Enforcing wireless network security policy.

B. Detecting and defending against eavesdropping attacks.

C. Performance monitoring and troubleshooting.

D. Security monitoring and notification.

The following numbered items show some of the contents of each of the four frames exchanged during the 4-way handshake.

1.

Encrypted GTK sent

2.

Confirmation of temporal key installation

3.

ANonce sent from authenticator to supplicant

4.

SNonce sent from supplicant to authenticator, MIC included

Arrange the frames in the correct sequence beginning with the start of the 4-way handshake.

A. 1, 2, 3, 4

B. 3, 4, 1, 2

C. 4, 3, 1, 2

D. 2, 3, 4, 1

What field in the RSN information element (IE) will indicate whether PSK- or Enterprise-based WPA or WPA2 is in use?

A. Group Cipher Suite

B. Pairwise Cipher Suite List

C. AKM Suite List

D. RSN Capabilities