CEH v13 Domain 6.1 Practice Test 002

Question 1

During a wireless security audit of a financial institution's campus network, an assessor discovers that several legacy access points are still broadcasting using WEP encryption despite the organization's security upgrade policy. The assessor configures Airodump-ng to capture IV-rich packets and launches an ARP replay attack using Aireplay-ng to accelerate IV collection, then runs Aircrack-ng against the captured .cap file to recover the network key. Which attack technique did the assessor use?

A. ARP Replay Attack B. WPA Handshake Cracking C. PMKID Extraction D. Beacon Frame Flooding

Question 2

Clark is conducting an authorized wireless penetration test at a corporate headquarters and sets up a rogue access point broadcasting the same SSID as the legitimate enterprise Wi-Fi network. He uses a high-gain antenna to ensure his AP produces a stronger signal than the real one, causing wireless clients to automatically disconnect from the legitimate AP and associate with his rogue device. Which type of wireless attack has Clark performed?

A. Karma Attack B. Evil Twin Attack C. Deauthentication Flood D. SSID Spoofing

Question 3

A penetration tester assessing a WPA2-Personal network uses Airodump-ng to lock onto the target channel and begins capturing wireless traffic while waiting for client activity. She fires a targeted deauthentication frame at a connected station using Aireplay-ng to force it to reauthenticate, successfully capturing the 4-way handshake in her .cap file. Which technique did the penetration tester use to obtain material for offline password cracking?

A. WPA2 Handshake Capture B. PMKID Attack C. WEP IV Collection D. EAP Downgrade Attack

Question 4

Jane is performing a mobile security assessment at a financial services firm and uses a Bluetooth scanning tool to enumerate nearby discoverable devices broadcasting standard Bluetooth profiles. She exploits a vulnerability in the OBEX Push Profile to connect to a target smartphone without completing the pairing process and silently extracts the contact list, calendar entries, and stored SMS messages. Which Bluetooth attack did Jane execute?

A. Bluejacking B. Bluebugging C. Bluesnarfing D. BlueSmack

Question 5

An enterprise organization has disabled SSID broadcasting on all internal access points, believing this configuration alone prevents unauthorized users from discovering the wireless network. A penetration tester runs Airodump-ng in passive monitoring mode and captures probe request frames sent by a legitimate client device attempting to reconnect to the network, revealing the hidden SSID in plaintext. Which technique allowed the penetration tester to uncover the concealed network name?

A. Active SSID Brute Force B. Passive Probe Frame Capture C. Beacon Frame Injection D. Wardriving

Question 6

Kevin is performing a wireless assessment at a busy conference venue and observes that attendees' devices are actively broadcasting probe requests for previously associated networks such as 'HomeNetwork' and 'CorpWiFi.' He configures his wireless adapter to respond to every incoming probe request with a matching SSID, causing nearby devices to automatically associate with his rogue access point. Which wireless attack technique is Kevin using?

A. Evil Twin Attack B. Deauthentication Attack C. Karma Attack D. Beacon Flood

Question 7

Select all that apply

A security analyst is building an internal red team lab to demonstrate 802.11 management frame vulnerabilities and needs to show how wireless clients can be forcibly disconnected from a WPA2-Enterprise network without knowing the pre-shared key. She reviews her toolkit to identify which tools are capable of transmitting spoofed deauthentication and disassociation frames at scale to disconnect multiple clients simultaneously. Which two tools can be used to perform deauthentication attacks against wireless clients? (Choose two)

A. Aireplay-ng B. Hashcat C. MDK4 D. Wireshark E. Kismet

Question 8

A penetration tester targeting a WPA2-Personal network wants to recover the pre-shared key without waiting for an active client to connect and initiate a 4-way handshake with the access point. He uses hcxdumptool to capture EAPOL frames directly from the AP and extracts the PMKID value, then inputs the output file into Hashcat with a targeted wordlist for offline cracking. Which wireless attack technique did the penetration tester perform?

A. Deauthentication Replay B. WPA2 Handshake Cracking C. PMKID Attack D. Evil Twin Credential Harvest

Question 9

Select all that apply

A security team conducting a wireless risk assessment at an oil refinery discovers that legacy SCADA sensors and PLCs communicate over 802.11b/g wireless links with no centralized wireless intrusion detection system in place. The team must brief management on the two wireless threats that pose the greatest risk to the availability and integrity of industrial control communications in this environment. Which two wireless attacks most directly threaten operational continuity for this OT wireless network? (Select two)

A. PMKID Hash Extraction B. Deauthentication Attack C. Rogue Access Point D. Wardriving E. SSID Enumeration

Question 10

Elijah is reviewing the wireless security posture of a corporate campus that recently upgraded all access points from WPA2-Personal to WPA3-Personal and wants to understand the specific protocol change that protects against offline dictionary attacks on captured wireless traffic. He notes that WPA3 replaces the traditional Pre-Shared Key exchange with a new handshake method that provides forward secrecy and ensures that captured wireless frames cannot be decrypted even if the password is later discovered. Which authentication protocol does WPA3-Personal use in place of the WPA2 PSK 4-way handshake?

A. EAP-TLS B. SAE (Simultaneous Authentication of Equals) C. 802.1X / RADIUS D. PEAP-MSCHAPv2

ByThe Test Master

Related Post

CEH v13 Domain 7.1 Practice Test 002

CEH v13 Domain 5.3 Practice Test 002

CEH v13 Domain 5.2 Practice Test 002