CWSP-208 Exam Dumps - CWNP CWSP Questions and Answers

MS-CHAPv2 is a widely used authentication protocol, but it has notable weaknesses:

B. MS-CHAPv2 is vulnerable to offline dictionary attacks. Attackers can capture authentication exchanges and attempt password guesses offline due to predictable hashing behavior.

D. The only secure use of MS-CHAPv2 is inside a secure tunnel (e.g., EAP-TTLS or PEAP), where credentials are protected during transmission.

Incorrect:

A. MS-CHAPv2 is used in WPA2-Enterprise, not WPA-Personal, and it is allowed under WPA2-Enterprise via PEAP.

C. WEP does not enhance LEAP’s security; it compounds vulnerabilities.

E and F. MS-CHAPv2 does not use AES for authentication. Using AES-CCMP for encryption does not fix MS-CHAPv2's weaknesses.

Wireless Intrusion Prevention Systems (WIPS) are excellent for detecting on-air threats such as rogue APs, DoS attacks, spoofing, and misconfigured devices. However, WIPS cannot detect:

C. Eavesdropping — Passive listening on wireless transmissions cannot be detected because no signal is transmitted by the attacker.

D. Social engineering — Human-based attacks like phishing or pretexting fall outside the scope of wireless monitoring.

Incorrect:

A. Rogue APs can be detected via MAC address comparison, frame analysis, and signal triangulation.

B. DoS attacks, such as deauth floods or RF jamming, can be detected with appropriate WIPS sensors.

Though AES-CCMP is secure and 802.1X authentication is strong, LEAP is inherently weak because:

B. LEAP uses MS-CHAPv1, making it vulnerable to offline dictionary attacks once challenge/response exchanges are captured.

F. Layer 1 DoS attacks (such as RF jamming or interference) can be launched regardless of authentication mechanisms.

Incorrect:

A. AES-CCMP resists encryption cracking.

C. Peer-to-peer at Layer 3 is unrelated to LEAP or 802.1X vulnerabilities.

D. Application-layer eavesdropping is mitigated if encryption is properly implemented.

E. Session hijacking is more difficult with proper authentication and encryption in place.

To hijack a wireless client, attackers often use:

An RF jamming device to disconnect the client from the legitimate AP (via deauth attacks or RF disruption)

A rogue AP (created using access point software) that impersonates the real network

DHCP server software to assign IP addresses and act as a gateway, completing the fake network

Incorrect:

B. Terminal emulation is not relevant.

C. Workgroup bridges and protocol analyzers are for monitoring, not attacking.

E. MAC spoofing and DoS do not complete a hijack.

802.11w, also known as Protected Management Frames (PMF), is designed to protect specific types of 802.11 management frames such as disassociation and deauthentication frames. These frames were previously sent unencrypted and could be spoofed by attackers to disconnect clients (DoS attacks). With 802.11w, these frames are cryptographically protected, mitigating such attacks.

PMF also includes replay protection for these management frames, preventing attackers from capturing and replaying them to disrupt network connectivity.

A Robust Security Network (RSN) is defined by the IEEE 802.11i standard and is designed to provide a framework for secure wireless LAN communications. One of the primary criteria for a network to qualify as an RSN is that WEP (Wired Equivalent Privacy) must not be used for encryption, as WEP has well-known vulnerabilities and is considered insecure. RSN-compliant networks must use either CCMP (AES) or GCMP for encryption and 802.1X/EAP or WPA2-Personal for authentication.

Incorrect:

A. Token cards are not part of RSN criteria.

B. Dynamic WEP is still WEP and disqualifies RSN status.

D. WPA-Personal may be supported, but alone does not define an RSN.

E. SSHv1 concerns device management security, not RSN qualification.

TKIP (Temporal Key Integrity Protocol) was introduced with WPA to enhance WEP security. One of the security mechanisms used in TKIP is a per-MPDU (MAC Protocol Data Unit) sequence counter called the TSC (TKIP Sequence Counter). The TSC acts as a form of replay protection by assigning a unique sequence number to each transmitted frame. If a packet is received with a sequence number lower than or equal to a previously received number, it is discarded. This directly prevents replay attacks, where a malicious actor resends previously captured frames in an attempt to spoof the session or extract data.